Loading ...

Play interactive tourEdit tour

Analysis Report VVV.exe

Overview

General Information

Sample Name:VVV.exe
Analysis ID:299402
MD5:41c38b28a965f10261a320ec88c7adc0
SHA1:f633611416eacf26ca20291e672a954a186220cd
SHA256:42ca73a2f64b86c9e59cc795eaf28450bdfd1149a35b052e2a8baf1b47e82204
Tags:AdwareGeneric

Most interesting Screenshot:

Detection

Raccoon
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Raccoon Stealer
Binary is likely a compiled AutoIt script file
Hides threads from debuggers
Machine Learning detection for dropped file
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Tries to load missing DLLs

Classification

Startup

  • System is w10x64
  • VVV.exe (PID: 6536 cmdline: 'C:\Users\user\Desktop\VVV.exe' MD5: 41C38B28A965F10261A320EC88C7ADC0)
    • Pigeon_39.exe (PID: 6724 cmdline: 'C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exe' MD5: F7958823D5A3C0A2DF7974ADDE4028D0)
      • RealtekSb.exe (PID: 6856 cmdline: C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe MD5: F7958823D5A3C0A2DF7974ADDE4028D0)
    • Glad_84.exe (PID: 6772 cmdline: 'C:\Users\user\AppData\Roaming\Software\Glad_84.exe' MD5: 0881095412775A91DCAAB9B0FF5325E4)
      • cmd.exe (PID: 6416 cmdline: C:\Windows\system32\cmd.exe /c cd C:\ProgramData\Microsoft\MicrosoftDefender && mwc install MicrosoftDefenderBackup C:\ProgramData\Microsoft\MicrosoftDefender\WUDHost.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 672 cmdline: C:\Windows\system32\cmd.exe /c cd C:\ProgramData\Microsoft\MicrosoftDefender && mwc start MicrosoftDefenderBackup MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 4708 cmdline: C:\Windows\system32\cmd.exe /c cd C:\ProgramData\Microsoft\MicrosoftDefender && mwc set MicrosoftDefenderBackup start SERVICE_AUTO_START && mwc start MicrosoftDefenderBackup MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 3888 cmdline: 'C:\Windows\System32\cmd.exe' /c ping -n 5 localhost < nul & del /F /Q 'C:\Users\user\AppData\Roaming\Software\Glad_84.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • PING.EXE (PID: 4672 cmdline: ping -n 5 localhost MD5: 70C24A306F768936563ABDADB9CA9108)
    • Crew_95.exe (PID: 6840 cmdline: 'C:\Users\user\AppData\Roaming\Software\Crew_95.exe' MD5: EF9AA9009C8DF44BB806F66B8E367BF7)
      • WerFault.exe (PID: 5396 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 944 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • RealtekSb.exe (PID: 6876 cmdline: C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe MD5: F7958823D5A3C0A2DF7974ADDE4028D0)
  • RealtekSb.exe (PID: 5636 cmdline: 'C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe' MD5: F7958823D5A3C0A2DF7974ADDE4028D0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: Crew_95.exe PID: 6840JoeSecurity_RaccoonYara detected Raccoon StealerJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\Software\Glad_84.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
    Source: C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
    Source: C:\Users\user\AppData\Roaming\Software\Crew_95.exeAvira: detection malicious, Label: HEUR/AGEN.1102922
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeMetadefender: Detection: 25%Perma Link
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeReversingLabs: Detection: 74%
    Source: C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exeMetadefender: Detection: 25%Perma Link
    Source: C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exeReversingLabs: Detection: 74%
    Source: C:\Users\user\AppData\Roaming\Software\Crew_95.exeReversingLabs: Detection: 75%
    Source: C:\Users\user\AppData\Roaming\Software\Glad_84.exeReversingLabs: Detection: 75%
    Source: C:\Users\user\AppData\Roaming\Software\software.exeReversingLabs: Detection: 16%
    Multi AV Scanner detection for submitted fileShow sources
    Source: VVV.exeReversingLabs: Detection: 79%
    Yara detected Raccoon StealerShow sources
    Source: Yara matchFile source: Process Memory Space: Crew_95.exe PID: 6840, type: MEMORY
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\Software\Glad_84.exeJoe Sandbox ML: detected
    Source: C:\Users\user\Desktop\VVV.exeCode function: 0_2_00406444 FindFirstFileA,FindClose,0_2_00406444
    Source: C:\Users\user\Desktop\VVV.exeCode function: 0_2_00405909 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405909
    Source: C:\Users\user\Desktop\VVV.exeCode function: 0_2_00402765 FindFirstFileA,0_2_00402765

    Networking:

    barindex
    Uses ping.exe to check the status of other devices and networksShow sources
    Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 localhost
    Source: Joe Sandbox ViewIP Address: 195.201.225.248 195.201.225.248
    Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
    Source: unknownTCP traffic detected without corresponding DNS query: 178.159.43.35
    Source: unknownTCP traffic detected without corresponding DNS query: 178.159.43.35
    Source: unknownTCP traffic detected without corresponding DNS query: 178.159.43.35
    Source: unknownTCP traffic detected without corresponding DNS query: 178.159.43.35
    Source: unknownTCP traffic detected without corresponding DNS query: 178.159.43.35
    Source: unknownTCP traffic detected without corresponding DNS query: 178.159.43.35
    Source: unknownDNS traffic detected: queries for: telete.in
    Source: Glad_84.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
    Source: Glad_84.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
    Source: Glad_84.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
    Source: Glad_84.exe.0.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
    Source: Glad_84.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
    Source: Glad_84.exe.0.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
    Source: Glad_84.exe.0.drString found in binary or memory: http://drweb.com/
    Source: VVV.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
    Source: VVV.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: Glad_84.exe.0.drString found in binary or memory: http://ocsp.digicert.com0I
    Source: Glad_84.exe.0.drString found in binary or memory: http://ocsp.digicert.com0R
    Source: Glad_84.exe.0.drString found in binary or memory: https://www.digicert.com/CPS0
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
    Source: C:\Users\user\Desktop\VVV.exeCode function: 0_2_004053A6 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004053A6
    Source: RealtekSb.exe, 00000006.00000002.284164834.00000000016FA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

    E-Banking Fraud:

    barindex
    Yara detected Raccoon StealerShow sources
    Source: Yara matchFile source: Process Memory Space: Crew_95.exe PID: 6840, type: MEMORY

    System Summary:

    barindex
    Binary is likely a compiled AutoIt script fileShow sources
    Source: Glad_84.exe, 00000003.00000002.291796071.0000000001175000.00000040.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
    Source: Glad_84.exe, 00000003.00000002.291796071.0000000001175000.00000040.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
    PE file contains section with special charsShow sources
    Source: Pigeon_39.exe.0.drStatic PE information: section name:
    Source: Pigeon_39.exe.0.drStatic PE information: section name: .idata
    Source: Pigeon_39.exe.0.drStatic PE information: section name:
    Source: RealtekSb.exe.1.drStatic PE information: section name:
    Source: RealtekSb.exe.1.drStatic PE information: section name: .idata
    Source: RealtekSb.exe.1.drStatic PE information: section name:
    Source: C:\Users\user\Desktop\VVV.exeCode function: 0_2_00403384 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403384
    Source: C:\Users\user\Desktop\VVV.exeCode function: 0_2_004067CD0_2_004067CD
    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 944
    Source: VVV.exeStatic PE information: invalid certificate
    Source: VVV.exe, 00000000.00000002.263174619.0000000002EF2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamezip.exe( vs VVV.exe
    Source: VVV.exe, 00000000.00000002.263638900.00000000030D0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs VVV.exe
    Source: VVV.exe, 00000000.00000002.263638900.00000000030D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs VVV.exe
    Source: VVV.exe, 00000000.00000002.249551119.000000000042D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamexdmwgbohrg.exeh$ vs VVV.exe
    Source: VVV.exe, 00000000.00000002.263260745.0000000002FD0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs VVV.exe
    Source: VVV.exeBinary or memory string: OriginalFilenamexdmwgbohrg.exeh$ vs VVV.exe
    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
    Source: Pigeon_39.exe.0.drStatic PE information: Section: ZLIB complexity 0.993098958333
    Source: RealtekSb.exe.1.drStatic PE information: Section: ZLIB complexity 0.993098958333
    Source: classification engineClassification label: mal100.troj.evad.winEXE@27/12@2/2
    Source: C:\Users\user\Desktop\VVV.exeCode function: 0_2_00403384 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403384
    Source: C:\Users\user\Desktop\VVV.exeCode function: 0_2_00404661 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404661
    Source: C:\Users\user\Desktop\VVV.exeCode function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar,0_2_00402138
    Source: C:\Users\user\Desktop\VVV.exeFile created: C:\Users\user\AppData\Roaming\OutbreakJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4812:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5728:120:WilError_01
    Source: C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exeMutant created: \Sessions\1\BaseNamedObjects\{1D463886-A965-4092-BADB-BB397C4DDE59}
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_01
    Source: C:\Users\user\AppData\Roaming\Software\Crew_95.exeMutant created: \Sessions\1\BaseNamedObjects\btirweunhdtr-hard(
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5780:120:WilError_01
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6840
    Source: C:\Users\user\Desktop\VVV.exeFile created: C:\Users\user\AppData\Local\Temp\nspCEA9.tmpJump to behavior
    Source: VVV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\VVV.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\VVV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\AppData\Roaming\Software\Crew_95.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\AppData\Roaming\Software\Crew_95.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: VVV.exeReversingLabs: Detection: 79%
    Source: RealtekSb.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
    Source: RealtekSb.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
    Source: RealtekSb.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
    Source: C:\Users\user\Desktop\VVV.exeFile read: C:\Users\user\Desktop\VVV.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\VVV.exe 'C:\Users\user\Desktop\VVV.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exe 'C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Software\Glad_84.exe 'C:\Users\user\AppData\Roaming\Software\Glad_84.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Software\Crew_95.exe 'C:\Users\user\AppData\Roaming\Software\Crew_95.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe
    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 944
    Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd C:\ProgramData\Microsoft\MicrosoftDefender && mwc install MicrosoftDefenderBackup C:\ProgramData\Microsoft\MicrosoftDefender\WUDHost.exe
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd C:\ProgramData\Microsoft\MicrosoftDefender && mwc start MicrosoftDefenderBackup
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd C:\ProgramData\Microsoft\MicrosoftDefender && mwc set MicrosoftDefenderBackup start SERVICE_AUTO_START && mwc start MicrosoftDefenderBackup
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe 'C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe'
    Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c ping -n 5 localhost < nul & del /F /Q 'C:\Users\user\AppData\Roaming\Software\Glad_84.exe'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 localhost
    Source: C:\Users\user\Desktop\VVV.exeProcess created: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exe 'C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exe' Jump to behavior
    Source: C:\Users\user\Desktop\VVV.exeProcess created: C:\Users\user\AppData\Roaming\Software\Glad_84.exe 'C:\Users\user\AppData\Roaming\Software\Glad_84.exe' Jump to behavior
    Source: C:\Users\user\Desktop\VVV.exeProcess created: C:\Users\user\AppData\Roaming\Software\Crew_95.exe 'C:\Users\user\AppData\Roaming\Software\Crew_95.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeProcess created: C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exeJump to behavior
    Source: C:\Users\user\AppData\Roaming\Software\Glad_84.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd C:\ProgramData\Microsoft\MicrosoftDefender && mwc install MicrosoftDefenderBackup C:\ProgramData\Microsoft\MicrosoftDefender\WUDHost.exeJump to behavior
    Source: C:\Users\user\AppData\Roaming\Software\Glad_84.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd C:\ProgramData\Microsoft\MicrosoftDefender && mwc start MicrosoftDefenderBackupJump to behavior
    Source: C:\Users\user\AppData\Roaming\Software\Glad_84.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd C:\ProgramData\Microsoft\MicrosoftDefender && mwc set MicrosoftDefenderBackup start SERVICE_AUTO_START && mwc start MicrosoftDefenderBackupJump to behavior
    Source: C:\Users\user\AppData\Roaming\Software\Glad_84.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c ping -n 5 localhost < nul & del /F /Q 'C:\Users\user\AppData\Roaming\Software\Glad_84.exe'Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 localhost
    Source: C:\Users\user\Desktop\VVV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: VVV.exeStatic file information: File size 16520930 > 1048576
    Source: VVV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

    Data Obfuscation:

    barindex
    Detected unpacking (changes PE section rights)Show sources
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeUnpacked PE file: 1.2.Pigeon_39.exe.1210000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jitzdicr:EW;ukyhnutt:EW; vs :ER;.rsrc:W;m%:W; :EW;jitzdicr:EW;ukyhnutt:EW;
    Source: C:\Users\user\AppData\Roaming\Software\Glad_84.exeUnpacked PE file: 3.2.Glad_84.exe.10c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qyelnmuy:EW;jkykjdkk:EW; vs :ER;.rsrc:W; :W; :EW;qyelnmuy:EW;jkykjdkk:EW;
    Source: C:\Users\user\AppData\Roaming\Software\Crew_95.exeUnpacked PE file: 4.2.Crew_95.exe.250000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cdpekpgj:EW;mjvkyrev:EW; vs :ER;.rsrc:W;8E:W; :EW;cdpekpgj:EW;mjvkyrev:EW;
    Source: C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exeUnpacked PE file: 5.2.RealtekSb.exe.370000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jitzdicr:EW;ukyhnutt:EW; vs :ER;.rsrc:W;m-%:W; :EW;jitzdicr:EW;ukyhnutt:EW;
    Source: C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exeUnpacked PE file: 6.2.RealtekSb.exe.370000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jitzdicr:EW;ukyhnutt:EW; vs :ER;.rsrc:W;m-%:W; :EW;jitzdicr:EW;ukyhnutt:EW;
    Source: C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exeUnpacked PE file: 16.2.RealtekSb.exe.370000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jitzdicr:EW;ukyhnutt:EW; vs :ER;.rsrc:W;m-%:W; :EW;jitzdicr:EW;ukyhnutt:EW;
    Source: initial sampleStatic PE information: section where entry point is pointing to: ukyhnutt
    Source: System.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xd8f8
    Source: Pigeon_39.exe.0.drStatic PE information: real checksum: 0x6d9a1e should be: 0x6d5f82
    Source: VVV.exeStatic PE information: real checksum: 0x0 should be:
    Source: RealtekSb.exe.1.drStatic PE information: real checksum: 0x6d9a1e should be: 0x6d5f82
    Source: Pigeon_39.exe.0.drStatic PE information: section name:
    Source: Pigeon_39.exe.0.drStatic PE information: section name: .idata
    Source: Pigeon_39.exe.0.drStatic PE information: section name:
    Source: Pigeon_39.exe.0.drStatic PE information: section name: jitzdicr
    Source: Pigeon_39.exe.0.drStatic PE information: section name: ukyhnutt
    Source: RealtekSb.exe.1.drStatic PE information: section name:
    Source: RealtekSb.exe.1.drStatic PE information: section name: .idata
    Source: RealtekSb.exe.1.drStatic PE information: section name:
    Source: RealtekSb.exe.1.drStatic PE information: section name: jitzdicr
    Source: RealtekSb.exe.1.drStatic PE information: section name: ukyhnutt
    Source: initial sampleStatic PE information: section name: entropy: 7.98189944206
    Source: initial sampleStatic PE information: section name: entropy: 7.98189944206
    Source: C:\Users\user\Desktop\VVV.exeFile created: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeJump to dropped file
    Source: C:\Users\user\Desktop\VVV.exeFile created: C:\Users\user\AppData\Local\Temp\nspCF47.tmp\System.dllJump to dropped file
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeFile created: C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exeJump to dropped file
    Source: C:\Users\user\Desktop\VVV.exeFile created: C:\Users\user\AppData\Roaming\Software\Crew_95.exeJump to dropped file
    Source: C:\Users\user\Desktop\VVV.exeFile created: C:\Users\user\AppData\Roaming\Software\software.exeJump to dropped file
    Source: C:\Users\user\Desktop\VVV.exeFile created: C:\Users\user\AppData\Roaming\Software\Glad_84.exeJump to dropped file
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RealtekSb.lnkJump to behavior
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RealtekSb.lnkJump to behavior
    Source: C:\Users\user\AppData\Roaming\Software\Glad_84.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
    Source: C:\Users\user\Desktop\VVV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VVV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VVV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VVV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VVV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VVV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VVV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\VVV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\Software\Glad_84.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\Software\Glad_84.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\Software\Glad_84.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Tries to detect sandboxes / dynamic malware analysis system (registry check)Show sources
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
    Source: C:\Users\user\AppData\Roaming\Software\Glad_84.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
    Source: C:\Users\user\AppData\Roaming\Software\Glad_84.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
    Source: C:\Users\user\AppData\Roaming\Software\Crew_95.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
    Source: C:\Users\user\AppData\Roaming\Software\Crew_95.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
    Source: C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
    Source: C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
    Source: C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
    Source: C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
    Source: C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
    Source: C:\Users\user\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000155D459 second address: 000000000155CCC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F66507984F8h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f or dword ptr [ebp+15172AABh], edi 0x00000015 push dword ptr [ebp+1517138Dh] 0x0000001b xor dword ptr [ebp+15171862h], ecx 0x00000021 call dword ptr [ebp+151717EFh] 0x00000027 pushad 0x00000028 clc 0x00000029 xor eax, eax 0x0000002b or dword ptr [ebp+1517279Ah], edx 0x00000031 mov edx, dword ptr [esp+28h] 0x00000035 jmp 00007F6650798501h 0x0000003a mov dword ptr [ebp+15172C9Ah], eax 0x00000040 stc 0x00000041 mov esi, 0000003Ch 0x00000046 or dword ptr [ebp+15172A96h], edi 0x0000004c add esi, dword ptr [esp+24h] 0x00000050 mov dword ptr [ebp+15172A96h], edi 0x00000056 lodsw 0x00000058 jc 00007F66507984FCh 0x0000005e mov dword ptr [ebp+15172AB0h], ecx 0x00000064 add eax, dword ptr [esp+24h] 0x00000068 sub dword ptr [ebp+1517199Ch], ebx 0x0000006e mov ebx, dword ptr [esp+24h] 0x00000072 sub dword ptr [ebp+1517279Ah], edx 0x00000078 sub dword ptr [ebp+1517199Ch], esi 0x0000007e nop 0x0000007f push eax 0x00000080 push edx 0x00000081 push eax 0x00000082 push edx 0x00000083 jnp 00007F66507984F6h 0x00000089 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000155CCC7 second address: 000000000155CCCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001870DF3 second address: 0000000001870E05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66507984FEh 0x00000009 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001935725 second address: 000000000193574E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jno 00007F66507D432Ch 0x0000000b jnl 00007F66507D4328h 0x00000011 popad 0x00000012 jng 00007F66507D433Eh 0x00000018 push eax 0x00000019 jnp 00007F66507D4326h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019358E0 second address: 00000000019358F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F66507984F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019358F0 second address: 00000000019358F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019358F4 second address: 00000000019358F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019358F8 second address: 0000000001935902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001935902 second address: 0000000001935910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66507984FAh 0x00000009 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001935910 second address: 000000000193592E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F66507D4336h 0x0000000d rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001935A92 second address: 0000000001935A9D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001935D32 second address: 0000000001935D38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001935D38 second address: 0000000001935D92 instructions: 0x00000000 rdtsc 0x00000002 je 00007F665079850Bh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F6650798508h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 jg 00007F665079850Bh 0x0000001d jmp 00007F6650798505h 0x00000022 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001935D92 second address: 0000000001935DA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F66507D432Ch 0x00000009 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001935DA2 second address: 0000000001935DA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001938824 second address: 0000000001938828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001938967 second address: 000000000193896D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000193896D second address: 00000000019389AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jne 00007F66507D4338h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jmp 00007F66507D4334h 0x0000001d push edx 0x0000001e pop edx 0x0000001f popad 0x00000020 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019389AE second address: 00000000019389C2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F66507984F8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push edi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019389C2 second address: 0000000001938A6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b jmp 00007F66507D432Ah 0x00000010 jmp 00007F66507D4332h 0x00000015 popad 0x00000016 pop eax 0x00000017 call 00007F66507D4338h 0x0000001c mov dword ptr [ebp+15172ABEh], edx 0x00000022 pop edi 0x00000023 push 00000003h 0x00000025 mov esi, dword ptr [ebp+15172DBAh] 0x0000002b movsx esi, ax 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007F66507D4328h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 0000001Ch 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a push ecx 0x0000004b pop edx 0x0000004c adc esi, 53E6F310h 0x00000052 push 00000003h 0x00000054 mov ecx, dword ptr [ebp+15172DFAh] 0x0000005a cld 0x0000005b push DF57E911h 0x00000060 pushad 0x00000061 push ecx 0x00000062 jmp 00007F66507D4334h 0x00000067 pop ecx 0x00000068 push edi 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001938A6B second address: 0000000001938A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 xor dword ptr [esp], 1F57E911h 0x0000000d pushad 0x0000000e jbe 00007F66507984FCh 0x00000014 mov dword ptr [ebp+1517199Ch], ebx 0x0000001a mov edx, 05813D4Ch 0x0000001f popad 0x00000020 lea ebx, dword ptr [ebp+1554F63Ah] 0x00000026 xchg eax, ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a jno 00007F66507984F6h 0x00000030 pushad 0x00000031 popad 0x00000032 popad 0x00000033 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001938A9E second address: 0000000001938AC8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F66507D4333h 0x00000008 jmp 00007F66507D432Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push ebx 0x00000012 js 00007F66507D4326h 0x00000018 pop ebx 0x00000019 pushad 0x0000001a jng 00007F66507D4326h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001938C6F second address: 0000000001938C7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000194AFAB second address: 000000000194AFC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F66507D4335h 0x00000009 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000194AFC4 second address: 000000000194AFE1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jmp 00007F6650798500h 0x00000011 pop edi 0x00000012 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000195D339 second address: 000000000195D33D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000195B208 second address: 000000000195B226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 jmp 00007F6650798507h 0x0000000b pop esi 0x0000000c rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000195B37A second address: 000000000195B380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000195B4FF second address: 000000000195B503 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000195B918 second address: 000000000195B91F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000195B91F second address: 000000000195B925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000195B925 second address: 000000000195B92E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000195B92E second address: 000000000195B932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000195B932 second address: 000000000195B936 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000195BBDD second address: 000000000195BBEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 jnp 00007F66507984F6h 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000195BECD second address: 000000000195BF06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F66507D4330h 0x0000000b pop ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F66507D4339h 0x00000014 jbe 00007F66507D4326h 0x0000001a rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000195BF06 second address: 000000000195BF0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000195C1B3 second address: 000000000195C1B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000195C1B9 second address: 000000000195C1D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6650798503h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000195C1D6 second address: 000000000195C1DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000195C4D4 second address: 000000000195C4D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000195C4D8 second address: 000000000195C4DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000195CE51 second address: 000000000195CE9F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop ecx 0x00000008 jmp 00007F6650798501h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F6650798504h 0x00000015 jng 00007F665079850Ah 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000195CE9F second address: 000000000195CEA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000195F60B second address: 000000000195F610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001964A58 second address: 0000000001964A5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001964A5C second address: 0000000001964A62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196940C second address: 0000000001969410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001969410 second address: 0000000001969434 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6650798506h 0x0000000b jg 00007F6650798502h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001969434 second address: 000000000196943A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196943A second address: 000000000196944D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007F66507984F8h 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196944D second address: 0000000001969494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66507D4337h 0x00000009 jmp 00007F66507D432Ah 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007F66507D4338h 0x00000015 jnp 00007F66507D4326h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196899A second address: 00000000019689D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F66507984F6h 0x0000000c popad 0x0000000d pushad 0x0000000e jo 00007F66507984F6h 0x00000014 jmp 00007F6650798506h 0x00000019 jnp 00007F66507984F6h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 jo 00007F66507984F8h 0x00000028 push esi 0x00000029 pop esi 0x0000002a rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001968B4C second address: 0000000001968B69 instructions: 0x00000000 rdtsc 0x00000002 js 00007F66507D433Fh 0x00000008 jmp 00007F66507D4333h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001968F99 second address: 0000000001968F9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001968F9D second address: 0000000001968FAA instructions: 0x00000000 rdtsc 0x00000002 jns 00007F66507D4326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001969271 second address: 0000000001969275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001969275 second address: 000000000196928E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F66507D432Fh 0x0000000f rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196D5B7 second address: 000000000196D5C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F66507984F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196D5C3 second address: 000000000196D5EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66507D4330h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007F66507D4347h 0x0000000f pushad 0x00000010 jp 00007F66507D4326h 0x00000016 push edx 0x00000017 pop edx 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196D5EB second address: 000000000196D5EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196DD88 second address: 000000000196DD8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196DD8C second address: 000000000196DDEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F6650798505h 0x00000010 mov eax, dword ptr [eax] 0x00000012 ja 00007F6650798502h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jmp 00007F6650798508h 0x00000024 jmp 00007F66507984FCh 0x00000029 popad 0x0000002a rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196DF9C second address: 000000000196DFA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196E273 second address: 000000000196E27D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F66507984F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196E35E second address: 000000000196E362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196E362 second address: 000000000196E366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196E366 second address: 000000000196E36F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196F5F4 second address: 000000000196F601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push ebx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001972AED second address: 0000000001972B20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66507D4337h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F66507D4330h 0x0000000e jbe 00007F66507D4332h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000186F333 second address: 000000000186F348 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6650798500h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000186F348 second address: 000000000186F34E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001974727 second address: 0000000001974744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6650798508h 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001974744 second address: 0000000001974754 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F66507D432Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001974754 second address: 00000000019747BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov dword ptr [ebp+151729C1h], esi 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F66507984F8h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a xor edi, 02AFACFEh 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edi 0x00000035 call 00007F66507984F8h 0x0000003a pop edi 0x0000003b mov dword ptr [esp+04h], edi 0x0000003f add dword ptr [esp+04h], 00000019h 0x00000047 inc edi 0x00000048 push edi 0x00000049 ret 0x0000004a pop edi 0x0000004b ret 0x0000004c mov dword ptr [ebp+151722A6h], edi 0x00000052 push eax 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 jbe 00007F66507984F6h 0x0000005c rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001975229 second address: 000000000197522D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001975D7F second address: 0000000001975D83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001977385 second address: 000000000197738C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000197738C second address: 00000000019773F8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F66507984FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F66507984F8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 mov dword ptr [ebp+15173B9Ch], ecx 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebx 0x00000030 call 00007F66507984F8h 0x00000035 pop ebx 0x00000036 mov dword ptr [esp+04h], ebx 0x0000003a add dword ptr [esp+04h], 0000001Dh 0x00000042 inc ebx 0x00000043 push ebx 0x00000044 ret 0x00000045 pop ebx 0x00000046 ret 0x00000047 push 00000000h 0x00000049 movsx edi, cx 0x0000004c xchg eax, ebx 0x0000004d push ebx 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019773F8 second address: 00000000019773FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001978FF8 second address: 0000000001978FFE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001978FFE second address: 0000000001979006 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001979006 second address: 000000000197900A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000197B606 second address: 000000000197B623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66507D4338h 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000197B623 second address: 000000000197B6DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6650798501h 0x00000008 jmp 00007F6650798507h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F66507984F8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov edi, esi 0x0000002f push 00000000h 0x00000031 sub dword ptr [ebp+15580C3Dh], ecx 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ebx 0x0000003c call 00007F66507984F8h 0x00000041 pop ebx 0x00000042 mov dword ptr [esp+04h], ebx 0x00000046 add dword ptr [esp+04h], 0000001Ch 0x0000004e inc ebx 0x0000004f push ebx 0x00000050 ret 0x00000051 pop ebx 0x00000052 ret 0x00000053 call 00007F6650798507h 0x00000058 call 00007F6650798503h 0x0000005d pop edi 0x0000005e pop ebx 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 push ecx 0x00000063 push edi 0x00000064 pop edi 0x00000065 pop ecx 0x00000066 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000197C695 second address: 000000000197C699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000197C699 second address: 000000000197C69E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000197D5F4 second address: 000000000197D60F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66507D4337h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000197D60F second address: 000000000197D693 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F66507984F8h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push edi 0x00000028 call 00007F66507984F8h 0x0000002d pop edi 0x0000002e mov dword ptr [esp+04h], edi 0x00000032 add dword ptr [esp+04h], 00000017h 0x0000003a inc edi 0x0000003b push edi 0x0000003c ret 0x0000003d pop edi 0x0000003e ret 0x0000003f add dword ptr [ebp+15171983h], edx 0x00000045 push 00000000h 0x00000047 push 00000000h 0x00000049 push esi 0x0000004a call 00007F66507984F8h 0x0000004f pop esi 0x00000050 mov dword ptr [esp+04h], esi 0x00000054 add dword ptr [esp+04h], 0000001Ah 0x0000005c inc esi 0x0000005d push esi 0x0000005e ret 0x0000005f pop esi 0x00000060 ret 0x00000061 push eax 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007F66507984FFh 0x0000006a rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000197E660 second address: 000000000197E664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001986235 second address: 0000000001986299 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F66507984FAh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F66507984FAh 0x00000013 nop 0x00000014 push 00000000h 0x00000016 movzx edi, di 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007F66507984F8h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 00000019h 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 add ebx, dword ptr [ebp+15172CA2h] 0x0000003b xchg eax, esi 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F6650798505h 0x00000043 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019872BC second address: 00000000019872C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001989367 second address: 000000000198936D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000198936D second address: 00000000019893E8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F66507D432Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F66507D4328h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov di, dx 0x0000002a push 00000000h 0x0000002c pushad 0x0000002d sub di, 8989h 0x00000032 popad 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ebx 0x00000038 call 00007F66507D4328h 0x0000003d pop ebx 0x0000003e mov dword ptr [esp+04h], ebx 0x00000042 add dword ptr [esp+04h], 00000014h 0x0000004a inc ebx 0x0000004b push ebx 0x0000004c ret 0x0000004d pop ebx 0x0000004e ret 0x0000004f mov di, cx 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 jmp 00007F66507D4331h 0x0000005b pop eax 0x0000005c rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000018742FA second address: 0000000001874301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001874301 second address: 0000000001874319 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F66507D4332h 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000199330A second address: 000000000199330E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000199330E second address: 000000000199333E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66507D432Ch 0x00000007 jmp 00007F66507D4334h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jnl 00007F66507D4326h 0x0000001a rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000187B009 second address: 000000000187B00F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001999475 second address: 000000000199948F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66507D432Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000199948F second address: 0000000001999493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001999493 second address: 00000000019994A0 instructions: 0x00000000 rdtsc 0x00000002 je 00007F66507D4326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001999554 second address: 000000000199955A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 0000000001999606 second address: 000000000155CCC7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 add dword ptr [esp], 2E8383EAh 0x0000000e jmp 00007F66507D4332h 0x00000013 pushad 0x00000014 add bx, 5914h 0x00000019 pushad 0x0000001a push esi 0x0000001b pop edx 0x0000001c push edx 0x0000001d pop ebx 0x0000001e popad 0x0000001f popad 0x00000020 push dword ptr [ebp+1517138Dh] 0x00000026 js 00007F66507D432Dh 0x0000002c call dword ptr [ebp+151717EFh] 0x00000032 pushad 0x00000033 clc 0x00000034 xor eax, eax 0x00000036 or dword ptr [ebp+1517279Ah], edx 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 jmp 00007F66507D4331h 0x00000045 mov dword ptr [ebp+15172C9Ah], eax 0x0000004b stc 0x0000004c mov esi, 0000003Ch 0x00000051 or dword ptr [ebp+15172A96h], edi 0x00000057 add esi, dword ptr [esp+24h] 0x0000005b mov dword ptr [ebp+15172A96h], edi 0x00000061 lodsw 0x00000063 jc 00007F66507D432Ch 0x00000069 mov dword ptr [ebp+15172AB0h], ecx 0x0000006f add eax, dword ptr [esp+24h] 0x00000073 sub dword ptr [ebp+1517199Ch], ebx 0x00000079 mov ebx, dword ptr [esp+24h] 0x0000007d sub dword ptr [ebp+1517279Ah], edx 0x00000083 sub dword ptr [ebp+1517199Ch], esi 0x00000089 nop 0x0000008a push eax 0x0000008b push edx 0x0000008c push eax 0x0000008d push edx 0x0000008e jnp 00007F66507D4326h 0x00000094 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000186BDAF second address: 000000000186BDB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019A012A second address: 00000000019A0130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019A0130 second address: 00000000019A013E instructions: 0x00000000 rdtsc 0x00000002 js 00007F66507984F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019A013E second address: 00000000019A0184 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66507D4339h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jno 00007F66507D4341h 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019A0184 second address: 00000000019A018D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019A073C second address: 00000000019A0744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019A0744 second address: 00000000019A074F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019A074F second address: 00000000019A0759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F66507D4326h 0x0000000a rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019A0759 second address: 00000000019A0769 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F66507984FCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019A0A10 second address: 00000000019A0A2C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007F66507D4326h 0x0000000d jmp 00007F66507D432Eh 0x00000012 popad 0x00000013 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019A0A2C second address: 00000000019A0A85 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F6650798500h 0x0000000a pop esi 0x0000000b jne 00007F66507984F8h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 jg 00007F66507984F6h 0x0000001e jns 00007F66507984F6h 0x00000024 pop ebx 0x00000025 pushad 0x00000026 jmp 00007F66507984FFh 0x0000002b jmp 00007F6650798502h 0x00000030 jc 00007F66507984F6h 0x00000036 popad 0x00000037 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019A0A85 second address: 00000000019A0A90 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jo 00007F66507D4326h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019A0A90 second address: 00000000019A0A98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019A0BD9 second address: 00000000019A0BE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jg 00007F66507D4326h 0x0000000d pop ecx 0x0000000e rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019A0D56 second address: 00000000019A0D5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019A0D5A second address: 00000000019A0D6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019AA016 second address: 00000000019AA055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 ja 00007F665079850Fh 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F6650798501h 0x00000012 ja 00007F66507984F6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019AA055 second address: 00000000019AA05D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019AA05D second address: 00000000019AA08C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F6650798508h 0x0000000d jp 00007F66507984F6h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007F66507984F6h 0x0000001c rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019AA08C second address: 00000000019AA090 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019A8DBD second address: 00000000019A8DC6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196B49B second address: 000000000196B4A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196B4A1 second address: 000000000155CCC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007F66507984F8h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 00000016h 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov edi, 2DDBF3BCh 0x00000026 push dword ptr [ebp+1517138Dh] 0x0000002c mov dh, ah 0x0000002e mov cx, DC5Ch 0x00000032 call dword ptr [ebp+151717EFh] 0x00000038 pushad 0x00000039 clc 0x0000003a xor eax, eax 0x0000003c or dword ptr [ebp+1517279Ah], edx 0x00000042 mov edx, dword ptr [esp+28h] 0x00000046 jmp 00007F6650798501h 0x0000004b mov dword ptr [ebp+15172C9Ah], eax 0x00000051 stc 0x00000052 mov esi, 0000003Ch 0x00000057 or dword ptr [ebp+15172A96h], edi 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 mov dword ptr [ebp+15172A96h], edi 0x00000067 lodsw 0x00000069 jc 00007F66507984FCh 0x0000006f mov dword ptr [ebp+15172AB0h], ecx 0x00000075 add eax, dword ptr [esp+24h] 0x00000079 sub dword ptr [ebp+1517199Ch], ebx 0x0000007f mov ebx, dword ptr [esp+24h] 0x00000083 sub dword ptr [ebp+1517279Ah], edx 0x00000089 sub dword ptr [ebp+1517199Ch], esi 0x0000008f nop 0x00000090 push eax 0x00000091 push edx 0x00000092 push eax 0x00000093 push edx 0x00000094 jnp 00007F66507984F6h 0x0000009a rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196C193 second address: 000000000196C197 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196C28B second address: 000000000196C2A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6650798509h 0x00000009 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196C2A8 second address: 000000000196C304 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 sub dword ptr [ebp+1517B73Ch], ebx 0x0000000f mov ecx, dword ptr [ebp+151721FEh] 0x00000015 lea eax, dword ptr [ebp+15581D91h] 0x0000001b push 00000000h 0x0000001d push edi 0x0000001e call 00007F66507D4328h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], edi 0x00000028 add dword ptr [esp+04h], 00000017h 0x00000030 inc edi 0x00000031 push edi 0x00000032 ret 0x00000033 pop edi 0x00000034 ret 0x00000035 mov dword ptr [ebp+15171B47h], edx 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F66507D4339h 0x00000043 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196C304 second address: 000000000196C366 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F66507984FCh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+15172AABh], edx 0x00000014 lea eax, dword ptr [ebp+15581D4Dh] 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007F66507984F8h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 cmc 0x00000035 push eax 0x00000036 pushad 0x00000037 jmp 00007F6650798505h 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 000000000196C366 second address: 00000000019506F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F66507D4328h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 call dword ptr [ebp+15172A58h] 0x0000002a push ecx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f js 00007F66507D4326h 0x00000035 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019A913C second address: 00000000019A9142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019A9142 second address: 00000000019A9146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\AppData\Roaming\Outbreak\Pigeon_39.exeRDTSC instruction interceptor: First address: 00000000019A9146 seco